Improper Access Control in snipe/snipe-it
Jan 6th 2022
All bulk actions (bulk-edit / bulk-delete / form info) in asset models do not have access control checks
Proof of concept
1: Grant view to Asset Models
2: UI for bulk-edit and bulk-delete is still enabled, proceed.
3: You may bulk-delete / edit any asset model
This vulnerability is capable of viewing / editing / delete asset model information with DENY permissions,
Fix commit: https://github.com/Haxatron/snipe-it/commit/bb095641c2f421f744796d184287c46fc9303591
Let me know if you want a PR :)
note that fix is on master branch, not fix-access-control branch, also updated permalinks to reflect where all 4 issues occur
You are a rock star <3 - can you PR this? It would be easier for me - if you can't, no worries, I'll sort it out.
Done - https://github.com/snipe/snipe-it/pull/10498
@maintainer, could you validate this? Thanks! :D
Done,, and thanks :) You can call me snipe ;)
No problem snipe, happy to contribute to the security of your project. Once a new release is available, or when you are comfortable, could you submit the fix for this as well? That would be great! :)