Issues » User Privilege Escalation Possible In Velocity Code

Issue: SI-51
Date: Jan 25, 2019, 4:00:00 AM
Severity: Medium
Requires Admin Access: No
Fix Version: 5.1.0
Credit: 7Safe

By publishing custom, problematic vtl code, a user is able to elevate their dotCMS permissions for the duration of their browsing session.

User must have publish permissions to publish the custom vtl file.

Can track status of the issue here:


None at this time