SS-2013-003: Privilege escalation through Group hierarchy setting
- Low (?)
- Versions Affected:
- Versions Fixed:
- Release Date:
CMS users with access to the "Security" admin interface, but without ADMIN permissions, are able to increase their privileges. Since groups inherit permissions from parent groups, any changes to a group that a malicious user belongs to can inherit further privileged permissions. Note: Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.
This was fixed by limiting group hierarchy changes to those without a set of privileged permissions (CMS_ACCESS_SecurityAdmin, EDIT_PERMISSIONS, APPLY_ROLES, ADMIN), unless the currently logged-in user has ADMIN permissions already.