There are multiple ways the 'administer actions' permission could be abused to gain control of a site. Example STR:

1. As user with 'administer actions' permission go to /admin/config/system/actions
2. Create an advanced action: "Add a role to the selected users..."
3. Choose the administrator role and make up a deceptive label. Something like 'Prevent user from placing spam comments"
4. trick the admin into performing that action on your account through the 'mass mutation' option on the people overview.

From the Drupal 8 security bug bounty

https://tracker.bugcrowd.com/submissions/71023cebc6c19161ed8bb4a0dbee8ae...

credit to https://www.drupal.org/u/JvE

Marking this as a security improvement since it's an indirect attack vs. a direct XSS or other security hole.

CommentFileSizeAuthor
#1 2512820-1.patch322 bytespwolanin
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pwolanin’s picture

pwolanin CreditAttribution: pwolanin at Acquia commented
Issue summary: View changes
Status: Active » Needs review
FileSize
2512820-1.patch322 bytes
pwolanin’s picture

pwolanin CreditAttribution: pwolanin at Acquia commented
Issue summary: View changes
Issue tags: +D8 Security Bounty, +D8 Accelerate
googletorp’s picture

googletorp CreditAttribution: googletorp as a volunteer commented
Status: Needs review » Reviewed & tested by the community

Looks good.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Reviewed & tested by the community » Fixed

Committed aa6ef07 and pushed to 8.0.x. Thanks!

  • alexpott committed aa6ef07 on 8.0.x 
    Issue #2512820 by JvE, pwolanin:  'administer actions' permission can be...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.