Issue: |
|
---|---|
Date: |
|
Severity: | Medium |
Requires Admin Access: | Yes |
Fix Version: | 24.03.22 / 22.03.15 LTS / 23.01.15 LTS / 23.10.24v8 LTS |
Credit: | Internal Security Team |
Description: |
The Tools and Log Files tabs under the System → Maintenance tool, which is and always has been an admin tool, are accessible to some without the CMS Admin role. Users with "Site Admin" role, who are not system administrators, should not have access to the Maintenance tools. This allow the downloading of database dumps and other dotCMS content under the Tools tab. This can also exacerbate the dangers posed by other log-related security issues, such as SI-70's exposure of database credentials in system logs. Nothing in System → Maintenance should be displayed for users with site admin role; only system admins may have access to System Maintenance.
|
Mitigation: |
Users with site admin role should not have access to site maintenance portlet. |
References |
|