Cross-Site Request Forgery (CSRF) in snipe/snipe-it


Reported on

Nov 4th 2021


CSRF in custom field settings

Proof of Concept

<img src="http://<SNIPE_IT_APP>/fields/1/fieldset/1/disassociate">
<img src="http://<SNIPE_IT_APP>/fields/required/3/3">
<img src="http://<SNIPE_IT_APP>/fields/optional/3/3">


This vulnerability is capable of trick admin user to modify custom forms


disassociate frontend

optional frontend

optional api

required frontend

disassociate api

required api

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a month ago
haxatron modified their report
a month ago
haxatron modified their report
a month ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a month ago
snipe validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on 0d811d a month ago
snipe has been awarded the fix bounty
view.blade.php#L61L63 has been validated
fields.php#L15 has been validated
view.blade.php#L72L77 has been validated
view.blade.php#L66L68 has been validated
fields.php#L20 has been validated
fields.php#L10 has been validated