Issues » User Privilege Escalation Possible In Velocity Code

Issue: SI-51
Date: Jan 25, 2019 9:00:00 AM
Severity: Moderate
Requires Admin Access: Yes
Fix Version: 5.1.0
Credit: 7Safe
Description:

By publishing custom, problematic vtl code, a user is able to elevate their dotCMS permissions for the duration of their browsing session.

User must have publish permissions to publish the custom vtl file.

Can track status of the issue here:  https://github.com/dotCMS/core/issues/15882

Workaround:

None at this time