HIGH 8.8
GHSA-hq28-crg7-95pr
Snipe-IT has Privilege Escalation via API Permissions Assignment
Details
### Impact An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users.
### Patches Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1
### Workarounds None.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / snipe/snipe-it
Introduced in:
0 Fixed in: 8.4.1 Fix
composer require snipe/snipe-it:^8.4.1