Summary
Privilege escalation through a non-admin user's account.
Limited users can impersonate another user's account if only single-factor authentication is configured.
PoC
If I know an admin username, and open the login screen and type the admin's username and enter the wrong password, then type any other valid user's name and password, it logs me in as the username that I entered initially with their permission. Even shows admin user's name in the upper left.
Impact
Users of 0.8.1
cmsmith1977 Reporter
Summary
Privilege escalation through a non-admin user's account.
Limited users can impersonate another user's account if only single-factor authentication is configured.
PoC
If I know an admin username, and open the login screen and type the admin's username and enter the wrong password, then type any other valid user's name and password, it logs me in as the username that I entered initially with their permission. Even shows admin user's name in the upper left.
Impact
Users of 0.8.1