Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation
Vulnerability Description
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
CWE-915
Vulnerability Title
Snipe-IT 安全漏洞
Vulnerability Description
Snipe-IT是Grokability开源的一套开源IT资产/许可证管理系统。 Snipe-IT 8.3.7之前版本存在安全漏洞,该漏洞源于用户账户特权属性保护不足,可能导致低权限用户通过恶意API请求修改其他用户受限字段,进而完全接管超级管理员账户。
CVSS Information
N/A
Vulnerability Type
N/A