CVE-2015-3235 - edit_users permission allows changing of admin passwords
|Triaged:||Fixed in Releases:|
|Bugzilla link:||1233084||Found in Releases:|
A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.
Tracked as CVE-2015-3235.
Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".