Stored Cross-Site Scripting (XSS) in snipe/snipe-it
Aug 28th 2022
Input fields allowing Markdown Input are vulnerable to XSS. This requires Superadmin permissions though.
Proof of Concept
Steps to reproduce:
1. Log in to the admin account 2. Go to Admin -> General Settings 3. Enter the Payload in the `Login Note` and `Dashboard Message` fields. 4. Go to the Dashboard & confirm the XSS in the dasboard message. Logout and confirm the XSS in the login message.