Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2015-023: Advanced workflow member field exposure

Severity:
Low (?)
Identifier:
SS-2015-023
Versions Affected:
3.2.1 and below
Versions Fixed:
3.2.3
Release Date:
2015-11-23

By default, the CMS Admin editable template for the NotifyUsers action has access to a large number of fields, including (for instance) Member#Password. This would allow a malicious CMS Admin to extract other admin passwords by adding a template emailing these fields to themselves when other admins trigger the workflow.

A new configuration option `NotifyUsersWorkflowAction.whitelist_template_variables` has been added. When this option is set to true via the Config API then only member fields specified via Member.summary_fields may be accessed.

Common Vulnerability Scoring System (CVSS) Information