Improper Access Control in snipe/snipe-it
Jan 9th 2022
A user with no rights for API tokens can view the page where API tokens can be generated and can generate API tokens.
Proof of Concept
Create a user with no permission for anything (i.e. everything on deny).
Log in with this user to the web application.
http://127.0.0.1:8000/account/api=> The user can see and generate personal API tokens even the user has no rights for it.
The impact trends to be low as the user sees / generates his own API tokens. If the page would have some other serious errors, the attacker could from this point on doing more stuff.
There is no check that the user cannot view that site if no permission is given.
This is very low impact, since a user wth no permissions to do anything would create an API user with no permissions to do anything, since the API token inherits the permissions from the user who created it, but it's a valid bug. I'll have a fix out this week.
(Thank you for the report btw)