GHSA-6f75-x745-xcprHighCVSS 7.1
Snipe-IT: Bulk editing users allowed `ldap_import` and `activated_in` bulk editing users
🔗 CVE IDs covered (1)
📋 Description
Impact
The vulnerability allows a non-admin user holding only the granular users.edit permission to lock every admin out of the instance by editing the activated flag (which determines whether or not a user can login) and the ldap_import flag, which determines whether or not the user can request a password reset.
Patches
Patched in https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a
🎯 Affected products1
- composer/snipe/snipe-it:< 8.6.0