Merge pull request #13931 from craftcms/bugfix/user-perms

Fixed a potential privilege escalation bug
craftcms · Nov 16, 2023 · be81eb6 · be81eb6
2 parents e7fcfe8 + dfe1b83
commit be81eb6
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 3.x
 
+## Unreleased
+
+- Fixed a privilege escalation vulnerability.
+
 ## 3.9.5 - 2023-10-17
 
 - Added `pgpassword` and `pwd` to the list of keywords that Craft will look for when determining whether a value is sensitive and should be redacted from logs, etc.

diff --git a/src/controllers/UsersController.php b/src/controllers/UsersController.php
@@ -1206,7 +1206,7 @@ public function actionSaveUser()
         // Is the site set to use email addresses as usernames?
         if ($generalConfig->useEmailAsUsername) {
             $user->username = $user->email;
-        } else {
+        } elseif ($isNewUser || $currentUser->admin || $isCurrentUser) {
             $user->username = $this->request->getBodyParam('username', ($user->username ?: $user->email));
         }