Improper Privilege Management in snipe/snipe-it

Valid

Reported on

Feb 11th 2022

Description

It was found that if a user is not having access to supplier module, he can access and view the supplier content.

Create two users, one admin and one normal user
A normal user is not having access to the supplier module.
But by enumeration the normal user view the restricted content of supplier by enumeration.

https://demo.snipeitapp.com/suppliers/1 Just enumerate the number, and you will see the details

This vulnerability will help an attacker view restricted content.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago

We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago

snipe validated this vulnerability a year ago

shubh123-tri has been awarded the disclosure bounty

The fix bounty is now up for grabs

snipe marked this as fixed in 5.3.9 with commit db0c0e a year ago

snipe has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation