Stored Cross-Site Scripting (XSS) in snipe/snipe-it

Valid

Reported on

Aug 28th 2022


Description

Input fields allowing Markdown Input are vulnerable to XSS. This requires Superadmin permissions though.

Proof of Concept

Steps to reproduce:

1. Log in to the admin account
2. Go to Admin -> General Settings
3. Enter the Payload in the `Login Note` and `Dashboard Message` fields.
4. Go to the Dashboard & confirm the XSS in the dasboard message. Logout and confirm the XSS in the login message.

Payload:

[XSS](javascript:alert(document.location))

Impact

The impact is JavaScript Code Execution. However, superadmin privileges are required to edit the vulnerable input fields.

Occurrences

According to the Parsedown Readme, to prevent XSS it is required to set the safemode: $Parsedown->setSafeMode(true);

According to the Parsedown Readme, to prevent XSS it is required to set the safemode: $Parsedown->setSafeMode(true);

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a month ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 25 days ago
snipe/snipe-it maintainer has acknowledged this report 25 days ago
snipe validated this vulnerability 25 days ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
snipe confirmed that a fix has been merged on 9cf5f3 25 days ago
snipe has been awarded the fix bounty
login.blade.php#L31 has been validated
dashboard.blade.php#L20 has been validated
to join this conversation