php · snipe/snipe-itHeads-up
Snipe-IT CSV Import Authorization Bypass in Update Mode
CSV user import in update mode bypasses user-edit authorization, allowing users with only import permission to overwrite non-admin user emails and trigger passw
What changed
CSV user import in update mode bypasses user-edit authorization, allowing users with only import permission to overwrite non-admin user emails and trigger password reset.
Who it affects
Snipe-IT instances where users have been granted the import permission but not user-edit permission.
What to do today
Upgrade to v8.6.0 or later to apply the patch.
The trail
Collected→
Audited→
Written→
Published