Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Valid
Reported on
Dec 16th 2021
Description
CSRF to disrupt request tracking
Proof of Concept
Open the HTML file as a logged-in user
<img src="http://[SNIPE_IT]/account/request-asset/1">
Impact
Unauthenticated attackers situated outside of the organization can disrupt request tracking by sending the malicious HTML to a user which will cause them to request an asset.
We are processing your report and will contact the
snipe/snipe-it
team within 24 hours.
a year ago
We have contacted a member of the
snipe/snipe-it
team and are waiting to hear back
a year ago
to join this conversation