Improper Privilege Management in snipe/snipe-it


Reported on

Feb 11th 2022


It was found that if a user is not having access to supplier module, he can access and view the supplier content.

Proof of Concept

  1. Create two users, one admin and one normal user
  2. A normal user is not having access to the supplier module.
  3. But by enumeration the normal user view the restricted content of supplier by enumeration.

POC Just enumerate the number, and you will see the details


This vulnerability will help an attacker view restricted content.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
snipe validated this vulnerability a year ago
shubh123-tri has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed in 5.3.9 with commit db0c0e a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation