Lorenzofradeani

**Name of the Vulnerable Software and Affected Versions** Snipe-IT versions prior to 8.4.1 **Description** Users with component view access can be affected by cross-site scripting (XSS), a flaw where malicious scripts are injected into trusted websites, due to an unescaped `notes` column. **Recommendations** Update to version 8.4.1 or greater.

**Name of the Vulnerable Software and Affected Versions** Snipe-IT versions prior to 8.4.1 **Description** An authenticated user possessing only the `users.edit` permission can escalate their privileges to administrator. This occurs by sending a PATCH request to the '/api/v1/users/{id}' endpoint with the `permissions[admin]` variable set to 1. The API controller fails to properly validate the permissions array, stripping only the `superuser` key while allowing the `admin` and other permission keys to be modified by any user with update capabilities. **Recommendations** Update to version 8.4.1.