Axelor Open Platform
Monthly
Privilege escalation in Axelor Open Platform 8.x before 8.2.2 lets an authenticated non-admin user grant themselves administrative roles and groups by writing to protected User fields through a nested relational save on a related entity, bypassing the USER_RESTRICTED_FIELDS control. The flaw (CWE-863, improper authorization) was reported by VulnCheck and has publicly available exploit code; it is not listed in CISA KEV. With a CVSS 4.0 base score of 8.7 and full compromise of confidentiality, integrity, and availability of the vulnerable system, any low-privileged account can effectively become an administrator.
Privilege escalation in Axelor Open Platform 8.x before 8.2.2 lets an authenticated non-admin user grant themselves administrative roles and groups by writing to protected User fields through a nested relational save on a related entity, bypassing the USER_RESTRICTED_FIELDS control. The flaw (CWE-863, improper authorization) was reported by VulnCheck and has publicly available exploit code; it is not listed in CISA KEV. With a CVSS 4.0 base score of 8.7 and full compromise of confidentiality, integrity, and availability of the vulnerable system, any low-privileged account can effectively become an administrator.