Broken Access Control

Pimcore admin application is allowing a user to access/view the admin functionalities by simply changing “admin:false” to “admin:true”.

Attached screenshots. It further allows me to access all settings, classes etc. Can someone please help me understand what should be done in order to overcome this!

yes, but try to access stuff, you’ll get a lot of error messages then.

UI admin is different to actually being admin.

I can make changes to classes, system settings, metadata etc. Below are the screen-shots.

The permissions, which have been given to the user AssetContributor, are:

  1. asset_metadata
  2. assets

that is considered a security problem then, please contact pimcore here about this https://pimcorehq.wufoo.com/forms/pimcore-security-report/

You cannot add or modify classes without having the right to do so.
Same with system-settings, that’s just not possible.

1 Like