Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2013-003: Privilege escalation through Group hierarchy setting

CMS users with access to the "Security" admin interface, but without ADMIN permissions, are able to increase their privileges. Since groups inherit permissions from parent groups, any changes to a group that a malicious user belongs to can inherit further privileged permissions. Note: Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

This was fixed by limiting group hierarchy changes to those without a set of privileged permissions (CMS_ACCESS_SecurityAdmin, EDIT_PERMISSIONS, APPLY_ROLES, ADMIN), unless the currently logged-in user has ADMIN permissions already.

Severity:
Low (?)
Identifier:
SS-2013-003
Versions Affected:
2.4,3.0,3.1
Versions Fixed:
2.4.12,3.0.6,3.1.0
Release Date:
2013-09-12

CMS users with access to the "Security" admin interface, but without ADMIN permissions, are able to increase their privileges. Since groups inherit permissions from parent groups, any changes to a group that a malicious user belongs to can inherit further privileged permissions. Note: Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

This was fixed by limiting group hierarchy changes to those without a set of privileged permissions (CMS_ACCESS_SecurityAdmin, EDIT_PERMISSIONS, APPLY_ROLES, ADMIN), unless the currently logged-in user has ADMIN permissions already.