php · snipe/snipe-itHeads-up
snipe-it: Admin privilege escalation via UsersController store()
The store() method in UsersController (web and API) does not strip admin permission when creating a user, allowing escalation to admin privileges.
What changed
The store() method in UsersController (web and API) does not strip admin permission when creating a user, allowing escalation to admin privileges.
Who it affects
Any authenticated user with the users.create permission, such as HR staff or department leads.
What to do today
Apply the patch aea3877718 to prevent privilege escalation.
The trail
Collected→
Audited→
Written→
Published