Stored Cross Site Scripting vulnerability in Item name parameter in snipe/snipe-it
Apr 11th 2022
Stored cross site scripting vulnerability on Item name parameter in Assest module. Add payload in item name and whenever the user add the item in his requested assest . The alert will trigger.
Proof of Concept
Login to the demo account
Go to Asset functionality , add or edit an item name with following payload and save
payload = "><iMg SrC="x" oNeRRor="alert(1);">
Go to requested assets , check the item name (payload ), that you added or edit an asset which are already in requested asset
If it is there, alert will be triggered
The vulnerability is capable of stolen the user Cookie.
I am unable to reproduce this. In the line cited, you can see the name is escaped using the
e() escaping syntax.
https://demo.snipeitapp.com/hardware/requested (the demo resets, so I don't know if the test will still be there when you check this message.)
HI snipe , it is still executing, I will share vedio poc in a while for clear understanding
Thanks Asura - I am away for the day but will check when I return.
Got it - this is on the user's requested assets page, not the admin's.