php · shopper/frameworkCritical
shopper/framework: Authorization bypass in team settings (fixed in v2.8.0)
Two authorization defects in team settings allowed any authenticated panel user to take over the RBAC system: Settings/Team/Index had no mount() authorization, and Settings/Team/RolePermission gated write actions on the read-only view_users permission.
What changed
Two authorization defects in team settings allowed any authenticated panel user to take over the RBAC system: Settings/Team/Index had no mount() authorization, and Settings/Team/RolePermission gated write actions on the read-only view_users permission. Fixed in v2.8.0 by requiring manage_users for both.
Who it affects
All users of shopper/framework prior to v2.8.0.
What to do today
Upgrade to v2.8.0 immediately via composer require shopper/admin:^2.8.
The trail
Collected→
Audited→
Written→
Published