Security Advisory - Staff Permission Escalation
February 12, 2014
Cody
Affected Versions
Versions 3.0.0 through 3.0.8, and 3.1.0 are affected.
Description
Active and valid staff members may be able to gain additional permissions through crafted URLs. Because this issue requires that the user have an active and valid staff member account, this is classified as a Moderate vulnerability. Patch release 3.0.9 and 3.1.1 corrects this vulnerability.
Resolution
If you are running 3.0.x upgrade to version 3.0.9. If you are running 3.1.0 upgrade to version 3.1.1.
Related tasks:
- CORE-1045
Credits
CORE-1045 was discovered by Nerijus Barauskas at NGnTC.