An issue in hackathon-starter v.8.1.0 allows a remote attacker to escalate privileges via the user.js component.