Thanks for reporting PrivEsc CVE-2025-59945 #529
aronmolnar
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
We very much appreciate the bug report from @p1xl5 for reporting the privilege escalation vulnerability (CVE-2025-59945) we fixed last week in SysReptor.
The privilege escalation was due to a missing "read-only" flag for the "project admin" permission. Authenticated users could therefore elevate their privileges to read, modify and delete projects without being authorized.
We will implement a new set of unittests, so that this kind of vulnerability won't happen for permissions we introduce in the future.
If you have a self-hosted SysReptor installation and haven't updated to version 2025.83: It's now the time to do so.
Beta Was this translation helpful? Give feedback.
All reactions