SS-2013-003: Privilege escalation through Group hierarchy setting

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: SS-2013-003
Versions Affected:: 2.4,3.0,3.1
Versions Fixed:: 2.4.12,3.0.6,3.1.0
Release Date:: 2013-09-12

CMS users with access to the "Security" admin interface, but without ADMIN permissions, are able to increase their privileges. Since groups inherit permissions from parent groups, any changes to a group that a malicious user belongs to can inherit further privileged permissions. Note: Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

This was fixed by limiting group hierarchy changes to those without a set of privileged permissions (CMS_ACCESS_SecurityAdmin, EDIT_PERMISSIONS, APPLY_ROLES, ADMIN), unless the currently logged-in user has ADMIN permissions already.