The Tools and Log Files tabs under the System → Maintenance tool, which is and always has been an admin tool, are accessible to some without the CMS Admin role.

Users with "Site Admin" role, who are not system administrators, should not have access to the Maintenance tools. This allow the downloading of database dumps and other dotCMS content under the Tools tab. This can also exacerbate the dangers posed by other log-related security issues, such as SI-70's exposure of database credentials in system logs.

Nothing in System → Maintenance should be displayed for users with site admin role; only system admins may have access to System Maintenance.

• OWASP Top 10 - A01) Broken Access Control
• OWASP Top 10 - A04) Insecure Design
• CVSS Score: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N&version=3.1
• CVSS v3.1 Vector --> AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
• Overall CVSS Score: 4.5

Users with site admin role should not have access to site maintenance portlet.

• Affected versions: 22.02 and later.
• https://www.cve.org/cverecord?id=CVE-2024-3164