[Community Server] security breach in 9.5.4.553

Tech support for Enterprise Version
Post Reply
dsi-lille
Posts: 200
Joined: Mon Jul 11, 2016 1:47 pm

[Community Server] security breach in 9.5.4.553

Post by dsi-lille » Fri Apr 20, 2018 10:25 am

Hello,

we have detected a security breach in Community Server version 9.5.4.553 with the feed module.
With this version, a user is able to switch from their accounts to my personal admin account.

Steps :

1 - The user is connected as himself and click on the Feed button

2 - Then, click on an author name
oo.jpg
oo.jpg (8.68 KiB) Viewed 965 times
3 - The user is now connected with my personal account.

Some details :

- My personal account is admin.
- No matter what user is or the author name he clicked, It's always switch with my personal account.
- Only some people have access to the module People (including me).

Upgrading to version 9.6 solves the problem

Thanks,
Yoann

dsi-lille
Posts: 200
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] security breach in 9.5.4.553

Post by dsi-lille » Mon Apr 23, 2018 8:51 am

Hello,

i'm trying to reproduce this issue on our test environment with no luck for the moment...
Strange :-/

Yoann.

Maxim
Posts: 1817
Joined: Tue Oct 11, 2016 2:34 pm

Re: [Community Server] security breach in 9.5.4.553

Post by Maxim » Thu Apr 26, 2018 8:03 am

Hello Yoann!
Please confirm that you cannot reproduce this issue on your current instance.

dsi-lille
Posts: 200
Joined: Mon Jul 11, 2016 1:47 pm

Re: [Community Server] security breach in 9.5.4.553

Post by dsi-lille » Thu Apr 26, 2018 12:22 pm

Hello Maxim,

i confirm that i cannot reproduce this issue :

in our production environment since the upgrade to community server 9.6
in our test environment with community server 9.5 but this environment is not like our production one (much less users). Maybe that's why i cannot reproduce the issue on this environment : less users means less data in the feed module...

Thanks,
Yoann

Maxim
Posts: 1817
Joined: Tue Oct 11, 2016 2:34 pm

Re: [Community Server] security breach in 9.5.4.553

Post by Maxim » Thu Apr 26, 2018 12:56 pm

Hello dsi-lille!
Great thanks

Post Reply