Various components in the /luci/homebase and /luci/cluster menu, which should be restricted to administrative users only, are exposed to any logged-in (non-administrative, but authenticated) user if visited with a specially constructed URL. This could allow an authenticated, non-administrative, user to, among others: add new users, add systems, remove clusters from conga, and view logs.
This particular issue affects luci, as included in conga, and does not affect luci otherwise.
This issue was discovered by Radek Steiger of Red Hat.
It was discovered that various components in the luci site extension-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could escalate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 5
Via RHSA-2014:1194 https://rhn.redhat.com/errata/RHSA-2014-1194.html