We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Stored Cross-Site Scripting (XSS) in snipe/snipe-it

Valid

Reported on

Aug 28th 2022

Description

Input fields allowing Markdown Input are vulnerable to XSS. This requires Superadmin permissions though.

Proof of Concept

Steps to reproduce:

1. Log in to the admin account
2. Go to Admin -> General Settings
3. Enter the Payload in the `Login Note` and `Dashboard Message` fields.
4. Go to the Dashboard & confirm the XSS in the dasboard message. Logout and confirm the XSS in the login message.

Payload:

[XSS](javascript:alert(document.location))

Impact

The impact is JavaScript Code Execution. However, superadmin privileges are required to edit the vulnerable input fields.

Occurrences

According to the Parsedown Readme, to prevent XSS it is required to set the safemode: $Parsedown->setSafeMode(true);

According to the Parsedown Readme, to prevent XSS it is required to set the safemode: $Parsedown->setSafeMode(true);

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
snipe/snipe-it maintainer has acknowledged this report a year ago
snipe validated this vulnerability a year ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
snipe marked this as fixed in v6.0.11 with commit 9cf5f3 a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
login.blade.php#L31 has been validated
dashboard.blade.php#L20 has been validated
to join this conversation