Cross-site Scripting (XSS) - Generic in snipe/snipe-it
Nov 5th 2021
XSS in bulk audit function via the asset tag parameter
Proof of Concept
1: Go to http://<SNIPE_IT_APP>/hardware/bulkaudit feature 2: Use <script>alert(document.domain)</script> as "Asset Tag" parameter 3: Click "Audit", the XSS should be triggered via the message Asset Tag [ASSET_TAG] not found.