The Elearning Community

Posted: **Mon May 13, 2024 11:25 am**

Hi,
I found a user who had been made a Super admin by an Admin, in error.

The Admin had used the More Actions option in the Organisation chart to edit a user's password, they had ticked the New password, populated the boxes and also ticked the Level which by default is set to Super admin.

This resulted in a level change, giving a user, Super admin privileges and access to all user's details.

This was in a site running 3.01, I have tested it and it is still possible in 4.0.7.

Can this be amended in the Administrator profile settings?

See image
Cheers
Graeme

Posted: **Mon May 13, 2024 11:35 am**

Hi Graeme, it's not a bug, but I agree, an Admin should not be capable of changing levels at all, or, if needed, should not be capable of elevating levels. This is a privilege escalation vulnerability of Forma.

Posted: **Mon May 13, 2024 1:07 pm**

Hi,
I agree Admins have no need to change levels.
It’s also a GDPR risk which is a concern.

Graeme

Posted: **Mon May 13, 2024 2:32 pm**

Hello,
got it, we'll get back with a fix asap

Posted: **Mon May 13, 2024 2:46 pm**

Hi Max,
Thank you.
Cheers
Graeme

The Elearning Community

Admin changing User level via More Actions button

Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button

Re: Admin changing User level via More Actions button

This site uses cookies.