CVE-2019-11218: Privilege escalation in Bonobo Git Server AccountController

Description

Improper Handling of Extra Parameters in the AccountController (User Profile edit) in Jakub Chodounsky Bonobo Git Server 6.3.0 allows authenticated users to gain application administrator privileges via additional form parameter submissions.

Bonobo.Git.Server/Controllers/AccountController.cs application logic in public ActionResult Edit(UserEditModel model) does not properly validate form submission of the user profile modification when modifying user's own profile. Appending PostedSelectedRoles results in arbitrary role assignment to the profile. Subsequent refresh of the the session (relog) is needed to the change to take effect.

Additional Information

The issue is fixed in version 6.5.0.

Timeline