CVE-2015-3235 - edit_users permission allows changing of admin passwords
Users, Roles and Permissions
A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.
Tracked as CVE-2015-3235.
Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".
#1 Updated by Shlomi Zadok almost 8 years ago
- Assignee set to Shlomi Zadok
#2 Updated by The Foreman Bot almost 8 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2465 added
- Pull request deleted (
#3 Updated by Shlomi Zadok almost 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset f97fbd6f70ccd749f3bb2bece6e64d01d540561c.
#4 Updated by Ohad Levy almost 8 years ago
- Bugzilla link set to 1233084
fixes #10829 - non-admin user cannot update admin password