php · snipe/snipe-itHeads-up
snipe-it: Company ID bypass in BulkAssetsController::update()
BulkAssetsController::update() accepts company_id directly from user input without Company::getIdForCurrentUser(), allowing non-superadmin users to move assets
What changed
BulkAssetsController::update() accepts company_id directly from user input without Company::getIdForCurrentUser(), allowing non-superadmin users to move assets across company boundaries, breaking multi-tenancy isolation.
Who it affects
Users with multi-company enabled, especially non-superadmin users who can bypass company scoping.
What to do today
Apply patch from commit d58fda626e8febfeff4cabbc20ba03edfc411e18 to restore company scoping.
The trail
Collected→
Audited→
Written→
Published