CVE-2015-3235 - edit_users permission allows changing of admin passwords
|Assigned To:||Shlomi Zadok|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/2465|
|Velocity based estimate||-|
A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.
Tracked as CVE-2015-3235.
Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".