Improper Privilege Management in snipe/snipe-it


Reported on

Feb 11th 2022


It was found that if a user is not having access to supplier module, he can access and view the supplier content.

Proof of Concept

  1. Create two users, one admin and one normal user
  2. A normal user is not having access to the supplier module.
  3. But by enumeration the normal user view the restricted content of supplier by enumeration.

POC Just enumerate the number, and you will see the details


This vulnerability will help an attacker view restricted content.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 4 months ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 4 months ago
snipe validated this vulnerability 3 months ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on db0c0e 3 months ago
snipe has been awarded the fix bounty
to join this conversation