SS-2018-001: Privilege Escalation Risk in Member Edit form

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: SS-2018-001
Versions Affected:: silverstripe/framework:^3.5.7, silverstripe/framework:^3.6.0, silverstripe/framework:^4.0.0, silverstripe/framework:^4.1.0
Versions Fixed:: silverstripe/framework:3.5.8, silverstripe/framework:3.6.6, silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
Release Date:: 2018-05-28

A member with the permission EDIT_PERMISSIONS and access to the "Security" section is able to re-assign themselves (or another member) to ADMIN level.

CMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.

Reported by: Worik Stanton