Stored Cross Site Scripting vulnerability in Item name parameter in snipe/snipe-it

Valid

Reported on

Apr 11th 2022


Description

Stored cross site scripting vulnerability on Item name parameter in Assest module. Add payload in item name and whenever the user add the item in his requested assest . The alert will trigger.

Proof of Concept

  1. Login to the demo account

  2. Go to Asset functionality , add or edit an item name with following payload and save

  3. payload = "><iMg SrC="x" oNeRRor="alert(1);">

  4. Go to requested assets , check the item name (payload ), that you added or edit an asset which are already in requested asset

  5. If it is there, alert will be triggered

Impact

The vulnerability is capable of stolen the user Cookie.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 2 months ago
Asura-N modified the report
2 months ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 2 months ago
snipe
2 months ago

Maintainer


I am unable to reproduce this. In the line cited, you can see the name is escaped using the e() escaping syntax.

snipe
2 months ago

Maintainer


https://demo.snipeitapp.com/hardware/requested (the demo resets, so I don't know if the test will still be there when you check this message.)

Asura-N
a month ago

Researcher


HI snipe , it is still executing, I will share vedio poc in a while for clear understanding

Thanks Asura-N

Asura-N
a month ago

Researcher


https://mega.nz/file/A8knDSjY#gCZggqdSnnVX0N_VN6RPRIB00DB4xFI3Ogwwc-Icl20

snipe
a month ago

Maintainer


Thanks Asura - I am away for the day but will check when I return.

snipe
a month ago

Maintainer


Got it - this is on the user's requested assets page, not the admin's.

snipe validated this vulnerability a month ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on f211c1 a month ago
snipe has been awarded the fix bounty
to join this conversation