Affected Versions

Versions 3.0.0 through 3.0.8, and 3.1.0 are affected.

Description

Active and valid staff members may be able to gain additional permissions through crafted URLs. Because this issue requires that the user have an active and valid staff member account, this is classified as a Moderate vulnerability. Patch release 3.0.9 and 3.1.1 corrects this vulnerability.

Resolution

If you are running 3.0.x upgrade to version 3.0.9. If you are running 3.1.0 upgrade to version 3.1.1.

Related tasks:

1. CORE-1045

Credits

CORE-1045 was discovered by Nerijus Barauskas at NGnTC.