Issues » Improper Privilege Management in Velocity

Issue: SI-59
Date: Dec 13, 2021, 11:30:00 AM
Severity: Medium
Requires Admin Access: Yes
Fix Version: 21.12,, 21.06.04
Credit: Vinicius Ribeiro Ferreira da Silva
  1. While editing a template we have total access to the User and UserModel classes via $user
  2. One of the UserModel methods is called setUserId
  3. If we call setUserId and pass "system" as parameter we get access to the system user role
  4. To exploit this flaw we need a user with the following permissions/role:
    • Active; Back-end User
    • Back-end Users need the following permissions:
      • View: Sites, Pages, Templates
      • Edit: Templates
  • Limit Access to Template Screen to Administrative Users
  • Upgrade to fix version