Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2019-12617 Access escalation for CMS users with limited access through permission cache pollution

Severity:
Moderate (?)
Identifier:
CVE-2019-12617
Versions Affected:
^4.3
Versions Fixed:
4.3.6, 4.4.4
Release Date:
2019-09-24

Due to incorrectly shared caches between files and page content, CMS users with different permissions for these object types could gain more access than defined by the system. This depends on a specific access sequence, as well as the underlying records having similar characteristics (database identifier). For example, CMS users with readonly access to files, but edit access to page content, could end up with edit access to certain files.

Base CVSS Score: 5.0

CWP Environmental Score: 5.0

Thanks to Serge Latyntcev for reporting this issue.