Craft CMS Authorization Bypass Vulnerability in User Group Management

An authorization bypass vulnerability has been identified in Craft CMS versions 5.6.0 through 5.9.14. The issue arises in the 'actionSavePermissions()' endpoint, where a user with only 'viewUsers' permission can remove arbitrary users from all user groups. This vulnerability exists because the '_saveUserGroups()' method, which handles group assignments, lacks proper authorization checks for removals. As a result, submitting an empty 'groups' value deletes all existing group memberships. The vulnerability was introduced in version 5.6.0 and affects users with 'accessCp' and 'viewUsers' permissions on the Pro edition or higher.

Impact

Exploitation of this vulnerability allows for unauthorized removal of users from groups, revoking all associated permissions. This can lead to a denial of access to features and sections reliant on group membership. Additionally, the vulnerability bypasses a requirement for elevated session privileges when groups are removed.

Reproduction

To reproduce this vulnerability, a user must have a control panel account with 'accessCp' and 'viewUsers' permissions only. Once logged in, the user can send a POST request to 'actions/users/save-permissions', including the target user's ID and an empty 'groups' value. This action will remove the target user from all groups, stripping away any permissions granted by those groups.

Remediation

Users can update to Craft CMS version 5.9.15 or later, where this vulnerability has been patched.