The UI Performs the Wrong Action in snipe/snipe-it


Reported on

Oct 4th 2021


Sensitive data on the application can be exposed after the user logout

Proof of Concept

1 Login to the application (

2 Goto page like My Account , or Any other page

3 Click logout

4 Click browser back button


When a user logs out without closing the browser someone can view the information inside by clicking the back button on the browser.

We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
snipe validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed with commit 9b4873 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation