CVE-2015-2203

Name of the Vulnerable Software and Affected Versions Evergreen versions 2.5.9, 2.6.7, 2.7.4

Description The issue allows remote authenticated users with STAFF LOGIN permission to obtain sensitive settings history information. This is achieved by leveraging the listing of open-ils.pcrud as a controller in the IDL.

Recommendations For versions 2.5.9, 2.6.7, and 2.7.4, consider restricting access to the open-ils.pcrud controller to prevent unauthorized users from obtaining sensitive settings history information. As a temporary workaround, restrict the STAFF LOGIN permission to minimize the risk of exploitation.