Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation
Impact
Thestore() method in both the web and API UsersController only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the users.create permission to create a new user with full admin privileges.The users.create permission may commonly be delegated to HR staff, department leads, or similar roles.