Issues » Improper Privilege Management in Velocity

Issue: SI-59
Date: Dec 13, 2021, 11:30:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 21.12, 5.3.8.4, 21.06.04
Credit: Vinicius Ribeiro Ferreira da Silva
Description:
  1. While editing a template we have total access to the User and UserModel classes via $user
  2. One of the UserModel methods is called setUserId
  3. If we call setUserId and pass "system" as parameter we get access to the system user role
  4. To exploit this flaw we need a user with the following permissions/role:
    • Active; Back-end User
    • Back-end Users need the following permissions:
      • View: Sites, Pages, Templates
      • Edit: Templates
Mitigation:
  • Limit Access to Template Screen to Administrative Users
  • Upgrade to fix version

References

https://huntr.dev/bounties/5db6c499-a4da-4628-a999-50af4681e1aa/

Highly Rated and Recommended

We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews