SS-2013-004: Privilege escalation through Group and Member CSV upload

Severity:
Low (?)
Identifier:
 
SS-2013-004
Versions Affected:
 
2.4,3.0,3.1
Versions Fixed:
 
2.4.12,3.0.6,3.1.0
Release Date:
 
2013-09-12

The "Security" admin interface allows import of member and group records from CSV data. CMS users with CMS_ACCESS_SecurityAdmin permission but without ADMIN permissions can increase their CMS privileges through this mechanism. Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

Access to this functionality has been limited to users with the ADMIN permission. If you're using the underlying GroupCsvBulkLoader or MemberCsvBulkLoader classes directly, please ensure they're appropriately secured.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.