Hotfix in usermanagement

High-Tech bridge informed us regarding a XSRF Vulnerability. We published now, a few hours later, a hotfix for you to fix this behavior.
Please just update the extension kryn-core, administration and user management via administration to the newest version - the download of kryn.org exists the fix already.

More informatione at:

http://www.htbridge.ch/advisory/xsrf_csrf_in_kryn_cms.html

Explanation:
If you create a user in group "Users" and give him the access to change his userdata (acl: User self edit) this user can also edit his groups. We added new acl items "Can change username" and "Can edit groups". Please use this to restrict his access if you want.

0 Comments