The Elearning Community

FORMA LMS Community
https://forum.formalms.org/forum/

Admin changing User level via More Actions button

https://forum.formalms.org/forum/viewtopic.php?t=14545

Page 1 of 1

Admin changing User level via More Actions button

Posted: Mon May 13, 2024 11:25 am
by Graeme59
Hi,
I found a user who had been made a Super admin by an Admin, in error.

The Admin had used the More Actions option in the Organisation chart to edit a user's password, they had ticked the New password, populated the boxes and also ticked the Level which by default is set to Super admin.

This resulted in a level change, giving a user, Super admin privileges and access to all user's details.

This was in a site running 3.01, I have tested it and it is still possible in 4.0.7.

Can this be amended in the Administrator profile settings?
Super admin.PNG
See image
Cheers
Graeme

Re: Admin changing User level via More Actions button

Posted: Mon May 13, 2024 11:35 am
by alfa24
Hi Graeme, it's not a bug, but I agree, an Admin should not be capable of changing levels at all, or, if needed, should not be capable of elevating levels. This is a privilege escalation vulnerability of Forma.

Re: Admin changing User level via More Actions button

Posted: Mon May 13, 2024 1:07 pm
by Graeme59
Hi,
I agree Admins have no need to change levels.
It’s also a GDPR risk which is a concern.
🙁
Graeme

Re: Admin changing User level via More Actions button

Posted: Mon May 13, 2024 2:32 pm
by max
Hello,
got it, we'll get back with a fix asap

Re: Admin changing User level via More Actions button

Posted: Mon May 13, 2024 2:46 pm
by Graeme59
Hi Max,
Thank you.
Cheers
Graeme

Re: Admin changing User level via More Actions button

Posted: Wed Jul 24, 2024 3:30 pm
by marco.urzi
Hi Graeme,
thanks for reporting and I inform you that we have released version 4.0.9 in which the problem has been resolved.
Greetings
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited