silverstripe/framework Privilege Escalation Risk in Member Edit form
A member with the permission EDIT_PERMISSIONS and access to the "Security" section is able to re-assign themselves (or another member) to ADMIN level.
CMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.
| Software | From | Fixed in |
|---|---|---|
silverstripe / framework
|
3.5.7-rc1 | 3.5.8 |
|
silverstripe / framework
|
3.6.0-rc1 | 3.6.6 |
|
silverstripe / framework
|
4.0.0-rc1 | 4.0.4 |
|
silverstripe / framework
|
4.1.0-rc1 | 4.1.1 |
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-001-1.yaml
- https://github.com/silverstripe/silverstripe-framework/commit/577138882163e4b8782ea043487944d30d88e753
- https://github.com/silverstripe/silverstripe-framework/commit/e409d6f673c49846086b23677aecdc3fde5fc4d5
- https://www.silverstripe.org/download/security-releases/ss-2018-001
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime