Improper Handling of Extra Parameters in the AccountController (User Profile edit) in Jakub Chodounsky Bonobo Git Server 6.3.0 allows authenticated users to gain application administrator privileges via additional form parameter submissions.
Bonobo.Git.Server/Controllers/AccountController.cs
application logic in public ActionResult Edit(UserEditModel model)
does not properly validate form submission of the user profile modification when modifying user's own profile. Appending PostedSelectedRoles
results in arbitrary role assignment to the profile. Subsequent refresh of the the session (relog) is needed to the change to take effect.
The issue is fixed in version 6.5.0.