Cross-Site Request Forgery (CSRF) in snipe/snipe-it


Reported on

Nov 4th 2021


CSRF in custom field settings

Proof of Concept

<img src="http://<SNIPE_IT_APP>/fields/1/fieldset/1/disassociate">
<img src="http://<SNIPE_IT_APP>/fields/required/3/3">
<img src="http://<SNIPE_IT_APP>/fields/optional/3/3">


This vulnerability is capable of trick admin user to modify custom forms


disassociate frontend

optional frontend

optional api

required frontend

disassociate api

required api

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
snipe validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed with commit 0d811d a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
view.blade.php#L61L63 has been validated
fields.php#L15 has been validated
view.blade.php#L72L77 has been validated
view.blade.php#L66L68 has been validated
fields.php#L20 has been validated
fields.php#L10 has been validated
to join this conversation