Name of the Vulnerable Software and Affected Versions: Neos Flow versions 3.0 and later

Description: The issue arises when using entity security to secure entities based on user properties, such as the company they belong to, in combination with the doctrine query cache. This could lead to other users reusing SQL queries from the cache that were built for other users, allowing them to see entities not intended for them. The problem occurs when entity security is used in a more advanced way, such as checking that a customer only sees their own orders.

Recommendations: For Neos Flow versions 3.0 and later, if you use Entity Security in a custom Flow or Neos application and have implemented advanced entity security features, you need to implement the CacheAwareInterface in your global object for proper caching. If you only use Entity Security based on roles, no action is required. If you have disabled the Doctrine Cache, you are not affected.