Published: 2016/05/26  Last Updated: 2016/05/26

Information from NetCommons Project

Vulnerability ID:JVN#00460236
Title:NetCommons vulnerable to privilege escalation

This is a statement from the vendor itself with no modification by JPCERT/CC.

An outside agency pointed out that a member registration of a member
management, done by a member who has the authority of the secretariat,
has a vulnerability that he/she can create a member who has the
authority of “the (system) administrator.”

In the NetCommons Project, the secretariat could update and delete
members originally because it had the administrator right for the
membership management.
However, on the screen, the operation, which creates a member having the
authority of the (system) administrator, has been controlled to prevent
an operation mistake.

Received the current point out, we have modified the system, and now the
secretariat doesn’t have the right to create the member who has the
administrator authority (not only on the screen).