Noah Heraud

**Name of the Vulnerable Software and Affected Versions** Snipe-IT versions prior to 8.3.7 **Description** Snipe-IT instances running versions prior to 8.3.7 are susceptible to unauthorized modification of user account details due to insufficient protection of sensitive user attributes against mass assignment. An authenticated user with low privileges can construct a malicious API request to alter restricted fields of other user accounts, including the Super Admin account. Specifically, an attacker can change the email address associated with the Super Admin account and initiate a password reset, leading to full administrative control of the Snipe-IT instance. The vulnerable API allows modification of user attributes through a mass assignment flaw. The `email` attribute is particularly susceptible to this manipulation. **Recommendations** Update Snipe-IT to version 8.3.7 or later.