Name of the Vulnerable Software and Affected Versions Company account feature version 4 and later

Description A critical issue allows users with the Company admin role to assign any role to any user, bypassing subtree limitations. This also affects users with the role / assign policy, typically given to administrators. The issue can be exploited by users with this policy, so it is recommended to verify who has this policy in the installation.

Recommendations For version 4 and later, apply the fix to ensure subtree limitations work as intended. At the moment, there is no information about a newer version that contains a fix for this vulnerability.