Admin changing User level via More Actions button

Graeme59 · Post by **Graeme59** » Mon May 13, 2024 11:25 am

Hi,
I found a user who had been made a Super admin by an Admin, in error.

The Admin had used the More Actions option in the Organisation chart to edit a user's password, they had ticked the New password, populated the boxes and also ticked the Level which by default is set to Super admin.

This resulted in a level change, giving a user, Super admin privileges and access to all user's details.

This was in a site running 3.01, I have tested it and it is still possible in 4.0.7.

Can this be amended in the Administrator profile settings?

See image
Cheers
Graeme

alfa24 · Post by **alfa24** » Mon May 13, 2024 11:35 am

Hi Graeme, it's not a bug, but I agree, an Admin should not be capable of changing levels at all, or, if needed, should not be capable of elevating levels. This is a privilege escalation vulnerability of Forma.

Graeme59 · Post by **Graeme59** » Mon May 13, 2024 1:07 pm

Hi,
I agree Admins have no need to change levels.
It’s also a GDPR risk which is a concern.

Graeme

Post by **max** » Mon May 13, 2024 2:32 pm

Hello,
got it, we'll get back with a fix asap

Graeme59 · Post by **Graeme59** » Mon May 13, 2024 2:46 pm

Hi Max,
Thank you.
Cheers
Graeme

marco.urzi · Post by **marco.urzi** » Wed Jul 24, 2024 3:30 pm

Hi Graeme,
thanks for reporting and I inform you that we have released version 4.0.9 in which the problem has been resolved.
Greetings

Admin changing User level via More Actions button

Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button