The UI Performs the Wrong Action in snipe/snipe-it


Reported on

Oct 4th 2021


Sensitive data on the application can be exposed after the user logout

Proof of Concept

1 Login to the application (

2 Goto page like My Account , or Any other page

3 Click logout

4 Click browser back button


When a user logs out without closing the browser someone can view the information inside by clicking the back button on the browser.

We have contacted a member of the snipe/snipe-it team and are waiting to hear back 2 months ago
snipe validated this vulnerability 2 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on 9b4873 2 months ago
The fix bounty has been dropped