Open luuthehienhbit opened 4 years ago
We need to add new permission for impersonate functionality (login as another user) Currently, there is no such permission.
Thanks for the report @luuthehienhbit
But what if the user mod can delete all accounts including the admin? You can review the policy. Thanks you!!!
SCOPE: Package: Subrion CMS Version: 4.2.1 ISSUE: User management policy Vulnerability Description: User has permission Moderators can perform deletion of the authorized user Administrator. This can be exploited for vandalism website by user Mod bad. Steps To Reproduce: -Creat user test add UserGroup Administrators -Creat user test1 add Usergroup Moderators -Login user test ealizable delete user admin -Login user test1 destiny mod but maybe delete test1 Reference: https://drive.google.com/open?id=14heul86tMbr-ragLCVYfbqS1Kj6kUEw4 Mitigations: Setup policy perform user authorization