SS-2013-004: Privilege escalation through Group and Member CSV upload
- Severity:
- Low (?)
- Identifier:
- SS-2013-004
- Versions Affected:
- 2.4,3.0,3.1
- Versions Fixed:
- 2.4.12,3.0.6,3.1.0
- Release Date:
- 2013-09-12
The "Security" admin interface allows import of member and group records from CSV data. CMS users with CMS_ACCESS_SecurityAdmin permission but without ADMIN permissions can increase their CMS privileges through this mechanism. Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.
Access to this functionality has been limited to users with the ADMIN permission. If you're using the underlying GroupCsvBulkLoader or MemberCsvBulkLoader classes directly, please ensure they're appropriately secured.
