SS-2013-004: Privilege escalation through Group and Member CSV upload

Low (?)
Versions Affected:
Versions Fixed:
Release Date:

The "Security" admin interface allows import of member and group records from CSV data. CMS users with CMS_ACCESS_SecurityAdmin permission but without ADMIN permissions can increase their CMS privileges through this mechanism. Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

Access to this functionality has been limited to users with the ADMIN permission. If you're using the underlying GroupCsvBulkLoader or MemberCsvBulkLoader classes directly, please ensure they're appropriately secured.

Want to know more about the company that brought you SilverStripe? Then check out

Comments on this website? Please give feedback.