| Issue:
|
SI-59
|
| Date:
|
Dec 13, 2021, 11:30:00 AM
|
|
Severity:
|
Medium
|
|
Requires Admin Access:
|
Yes
|
|
Fix Version:
|
21.12, 5.3.8.4, 21.06.04 |
| Credit:
|
Vinicius Ribeiro Ferreira da Silva |
| Description:
|
- While editing a template we have total access to the User and UserModel classes via $user
- One of the UserModel methods is called setUserId
- If we call setUserId and pass "system" as parameter we get access to the system user role
- To exploit this flaw we need a user with the following permissions/role:
- Active; Back-end User
- Back-end Users need the following permissions:
- View: Sites, Pages, Templates
- Edit: Templates
|
| Mitigation:
|
- Limit Access to Template Screen to Administrative Users
- Upgrade to fix version
|
| References
|
https://huntr.dev/bounties/5db6c499-a4da-4628-a999-50af4681e1aa/
|