Stored Cross Site Scripting vulnerability in Item name parameter in snipe/snipe-it

Valid

Reported on

Apr 11th 2022


Description

Stored cross site scripting vulnerability on Item name parameter in Assest module. Add payload in item name and whenever the user add the item in his requested assest . The alert will trigger.

Proof of Concept

  1. Login to the demo account

  2. Go to Asset functionality , add or edit an item name with following payload and save

  3. payload = "><iMg SrC="x" oNeRRor="alert(1);">

  4. Go to requested assets , check the item name (payload ), that you added or edit an asset which are already in requested asset

  5. If it is there, alert will be triggered

Impact

The vulnerability is capable of stolen the user Cookie.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 2 years ago
Asura-N modified the report
2 years ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 2 years ago
snipe
2 years ago

Maintainer


I am unable to reproduce this. In the line cited, you can see the name is escaped using the e() escaping syntax.

snipe
2 years ago

Maintainer


https://demo.snipeitapp.com/hardware/requested (the demo resets, so I don't know if the test will still be there when you check this message.)

Asura-N
2 years ago

Researcher


HI snipe , it is still executing, I will share vedio poc in a while for clear understanding

Thanks Asura-N

Asura-N
2 years ago

Researcher


https://mega.nz/file/A8knDSjY#gCZggqdSnnVX0N_VN6RPRIB00DB4xFI3Ogwwc-Icl20

snipe
2 years ago

Maintainer


Thanks Asura - I am away for the day but will check when I return.

snipe
2 years ago

Maintainer


Got it - this is on the user's requested assets page, not the admin's.

snipe validated this vulnerability 2 years ago
asura-n has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed in v5.4.3 with commit f211c1 2 years ago
snipe has been awarded the fix bounty
to join this conversation