silverstripe/framework Privilege Escalation Risk in Member Edit form

A member with the permission EDIT_PERMISSIONS and access to the "Security" section is able to re-assign themselves (or another member) to ADMIN level.

CMS Fields for the member are constructed using DirectGroups instead of Groups relation which results in bypassing security logic preventing privilege escalation.

Published: May 27, 2024
Updated: Jun 27, 2024
GHSA: GHSA-xpff-c35g-j3cr
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-268

Affected Software
References

Software	From	Fixed in
silverstripe / framework	3.5.7-rc1	3.5.8
silverstripe / framework	3.6.0-rc1	3.6.6
silverstripe / framework	4.0.0-rc1	4.0.4
silverstripe / framework	4.1.0-rc1	4.1.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2018-001-1.yaml
https://github.com/silverstripe/silverstripe-framework/commit/577138882163e4b8782ea043487944d30d88e753
https://github.com/silverstripe/silverstripe-framework/commit/e409d6f673c49846086b23677aecdc3fde5fc4d5
https://www.silverstripe.org/download/security-releases/ss-2018-001

Vulnerability Database

silverstripe/framework Privilege Escalation Risk in Member Edit form