Cisco Bug: CSCsz13881 - Read Only user can modify HTML source to alter privilege
Aug 06, 2018
- Cisco Wide Area Application Services (WAAS) Appliances
Known Affected Releases
<B>Symptom:</B> When a user has write access to certain pages and read-only access to some pages in this scenario that user can get write access (to all these read-only) by modifying the HTML content of read-only pages by comparing with similar write access pages. <B>Conditions:</B> 1. User has write access to page1 at Device level but read-only access at the DG level on the same page. 2. Now user navigates to the device level page and view source the HTML content of the device level write access page 3. Then user navigates to the read-only page at DG level and modifies that page (HTML content) by comparing with device level page (same page with write access) and modifying the HTML content gets the write access on that page. Now this user can perform any possible write operations on this page.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases