GHSA-hf68-g98v-wp9gMedium
Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation
🔗 CVE IDs covered (1)
📋 Description
Impact
The store() method in both the web and API UsersController only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the users.create permission to create a new user with full admin privileges.
The users.create permission may commonly be delegated to HR staff, department leads, or similar roles.
Patches
Patched in aea3877718
🎯 Affected products1
- composer/snipe/snipe-it:< 8.6.0