Cross-Site Request Forgery (CSRF) in snipe/snipe-it


Reported on

Dec 16th 2021


CSRF to disrupt request tracking

Proof of Concept

Open the HTML file as a logged-in user

<img src="http://[SNIPE_IT]/account/request-asset/1">


Unauthenticated attackers situated outside of the organization can disrupt request tracking by sending the malicious HTML to a user which will cause them to request an asset.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 2 years ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 2 years ago
snipe validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed in 5.3.6 with commit 9b2dd6 2 years ago
snipe has been awarded the fix bounty
to join this conversation