Views: 11189
Number of votes: 2
Average rating:

Security vulnerability - Elevation of privilege

A security vulnerability has been detected which allows elevation of privilege for a user that has access to Edit mode in EPiServer CMS 5 and CMS 6. In practice this means that someone with editorial privileges could take ownership of the “WebAdmins” account.

Websites based on EPiServer CMS 5 and 6 using Forms Authentication with a Membership provider that supports updating are affected by this security vulnerability. Websites using Windows Authentication or Forms Authentication with Windows Membership provider are not affected.

We recommend our partners to contact EPiServer Developer Support to obtain a hotfix for the CMS specific security concerns.

The above shares some characteristics with the vulnerability previously reported by Microsoft, but should not be mistaken as the same. For more information see Microsoft Security Bulletin MS11-100

Jan 10, 2012

Magnus Rahl
( By Magnus Rahl, 1/10/2012 6:55:13 PM)

I assume this includes CMS 6 R2?

Lars Bodahl
( By Lars Bodahl, 1/10/2012 10:44:23 PM)

All CMS 5 and 6 versions. You get a hotfix from support :)
( By, 1/11/2012 9:05:15 AM)


Please login to comment.