It was reported that it's possible to get access as a different user when using pcsd (the pcs web UI) due to using a variable which is global to the server instead of the connection to validate usernames.
Scenario is following:
User A sends a command to pcsd, after the connection is made and authentication
happens, (but before any security checks are done), User B connects and authenticates. User A could potentially get access based on User B's permissions.
To take advantage of this the user must have access to login to pcsd.
This issue was discovered by Tomáš Jelínek of Red Hat.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2015:1700 https://rhn.redhat.com/errata/RHSA-2015-1700.html