Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2013-004: Privilege escalation through Group and Member CSV upload

The "Security" admin interface allows import of member and group records from CSV data. CMS users with CMS_ACCESS_SecurityAdmin permission but without ADMIN permissions can increase their CMS privileges through this mechanism. Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

Access to this functionality has been limited to users with the ADMIN permission. If you're using the underlying GroupCsvBulkLoader or MemberCsvBulkLoader classes directly, please ensure they're appropriately secured.

Severity:
Low (?)
Identifier:
SS-2013-004
Versions Affected:
2.4,3.0,3.1
Versions Fixed:
2.4.12,3.0.6,3.1.0
Release Date:
2013-09-12

The "Security" admin interface allows import of member and group records from CSV data. CMS users with CMS_ACCESS_SecurityAdmin permission but without ADMIN permissions can increase their CMS privileges through this mechanism. Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

Access to this functionality has been limited to users with the ADMIN permission. If you're using the underlying GroupCsvBulkLoader or MemberCsvBulkLoader classes directly, please ensure they're appropriately secured.