CVE-2019-11553

Name of the Vulnerable Software and Affected Versions Code42 for Enterprise versions through 6.8.4

Description The issue allows an administrator without web restore permission but with user management capabilities to impersonate a user who has web restore permission. This can be achieved by requesting a token for web restore on behalf of the user they manage, effectively granting the administrator the user's permissions. The exploitation requires the administrator to have access to manage an organization that includes a user with greater permissions.

Recommendations For Code42 for Enterprise versions through 6.8.4, restrict access to user management for administrators without web restore permission to prevent impersonation. Additionally, consider limiting the ability of administrators to request tokens on behalf of other users as a temporary mitigation measure until a fix is available.