2024-06-14 09:54:41
Checkmarx
PUBLISHED
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the groups memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1.