Jason Boyer

**Name of the Vulnerable Software and Affected Versions** Evergreen versions prior to 2.5.9 Evergreen versions 2.6.x prior to 2.6.7 Evergreen versions 2.7.x prior to 2.7.4 **Description** The issue allows remote attackers to obtain sensitive settings history information by leveraging a lack of user permission for retrieval in fm IDL.xml, specifically through the "open-ils.pcrud" endpoint. **Recommendations** For versions prior to 2.5.9, update to version 2.5.9 or later. For versions 2.6.x prior to 2.6.7, update to version 2.6.7 or later. For versions 2.7.x prior to 2.7.4, update to version 2.7.4 or later.

**Name of the Vulnerable Software and Affected Versions** Evergreen versions 2.5.9, 2.6.7, 2.7.4 **Description** The issue allows remote authenticated users with STAFF LOGIN permission to obtain sensitive settings history information. This is achieved by leveraging the listing of open-ils.pcrud as a controller in the IDL. **Recommendations** For versions 2.5.9, 2.6.7, and 2.7.4, consider restricting access to the open-ils.pcrud controller to prevent unauthorized users from obtaining sensitive settings history information. As a temporary workaround, restrict the STAFF LOGIN permission to minimize the risk of exploitation.