CVE-2015-3235 - edit_users permission allows changing of admin passwords
A user with the edit_users permission (e.g. with the Manager role) is allowed to edit admin users. This allows them to change the password of the admin user's account and gain access to it.
Tracked as CVE-2015-3235.
Change roles of users with the edit_users permission, remove the "Unlimited" flag and set a search query of "admin = false".