GHSA-jq2f-59pj-p3m3: Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
The actionSavePermissions() endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While _saveUserGroups() enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty groups value removes all existing group memberships.
References
Code Behaviors & Features
Detect and mitigate GHSA-jq2f-59pj-p3m3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →