github shopperlabs/shopper v2.8.1
on GitHub

3 hours ago

Security Release

Patches three remaining authorization bypasses in the admin team settings that were not covered by v2.8.0 / GHSA-f946-9qp6-vgch. A staff user holding only view_users + access_dashboard could grant themselves any permission, create a new admin user, or delete arbitrary permissions and removable roles. Upgrading is recommended for every install that exposes the team management UI to non-admin staff.

Disclosed responsibly by @therawdev.

Security Fixes

  • fix(security): require access_setting on Settings/Team/Permissions::togglePermission and removePermission (was gated on the read-only view_users) by @mckenziearts in #514
  • fix(security): require access_setting on SlideOvers/CreateTeamMember::mount and store (was gated on view_users, allowing low-privilege users to provision a new admin account with a chosen password) by @mckenziearts in #514
  • fix(security): add ->authorize('access_setting') to Settings/Team/RolePermission::deleteAction (only gated on ->visible(can_be_removed), missing authorization check entirely) by @mckenziearts in #514
  • test(security): add regression tests covering every blocked path on the three components by @mckenziearts in #514

Upgrading

composer update shopper/framework

No migrations.

Full Changelog: v2.8.0...v2.8.1

Check out latest releases or
releases around shopperlabs/shopper v2.8.1

Don't miss a new shopper release

NewReleases is sending notifications on new releases.

Get notifications