Skip to content

Any user can see any fields (including mailbox password) with GroupBy Dashlet

Critical
piRGoif published GHSA-xh7w-rrp3-fhpq Jul 21, 2021

Package

No package listed

Affected versions

<2.7.4 <3.0.0

Patched versions

2.7.4, 3.0.0

Description

Impact

A non admin user can get access to many class/field values through GroupBy Dashlet error message.

Patches

Fixed in 2.7.4 and 3.0.0

References

Combodo ref N°3473

Credits

Many thanks to
Lars Kaltefleiter / Itomig for this report !

For more information

If you have any questions or comments about this advisory:
Email us at [email protected]

Severity

Critical

CVE ID

CVE-2021-32775

Weaknesses

No CWEs