Improper Handling of Extra Parameters in the AccountController (User Profile edit) in Jakub Chodounsky Bonobo Git Server 6.3.0 allows authenticated users to gain application administrator privileges via additional form parameter submissions.
Bonobo.Git.Server/Controllers/AccountController.cs application logic in
public ActionResult Edit(UserEditModel model) does not properly validate form submission of the user profile modification when modifying user's own profile. Appending
PostedSelectedRoles results in arbitrary role assignment to the profile. Subsequent refresh of the the session (relog) is needed to the change to take effect.
The issue is fixed in version 6.5.0.