Improper Privilege Management in snipe/snipe-it

Valid

Reported on

Feb 11th 2022


Description

It was found that if a user is not having access to supplier module, he can access and view the supplier content.

Proof of Concept

  1. Create two users, one admin and one normal user
  2. A normal user is not having access to the supplier module.
  3. But by enumeration the normal user view the restricted content of supplier by enumeration.

POC

https://demo.snipeitapp.com/suppliers/1 Just enumerate the number, and you will see the details

Impact

This vulnerability will help an attacker view restricted content.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 4 months ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 4 months ago
snipe validated this vulnerability 3 months ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on db0c0e 3 months ago
snipe has been awarded the fix bounty
to join this conversation