Headline
CVE-2022-42724: security: [user] Fixing disclosure of roles name to non-site admin us… · MISP/MISP@934b9cd
app/Controller/UsersController.php in MISP before 2.4.164 allows attackers to discover role names (this is information that only the site admin should have).
Permalink
Browse files
security: [user] Fixing disclosure of roles name to non-site admin us…
…ers and ensure user edit applies the restricted_to_site_admin option
This vulnerability with a default MISP installation without additional roles is disclosing list of role name which were restricted to the site admin. This commit fixes this disclosure vulnerability.
In addition for MISP installation with custom roles, an org admin user could create a user assigned to new custom roles which were restricted to site admin. This could lead to the access of complementary permissions (except site admin, org admin and sync actions).
Credits: CIRCL
- Loading branch information