Old sessions are not blocked by the login enable function. in snipe/snipe-it


Reported on

Mar 25th 2022


If you disable logic function of an user, that user can still login by using their old session.

Proof of Concept

Step 1: login to dashboard by a normal account.

Step 2: use a diffrent browser to login as admin

Step 3: make the normal account in step 1 unable to login.

Step 4: return to the browser login the normal account and refresh. You can see that this user can still login and use website's feature like create asset (if this account has permission)


This could make leaked data.

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago
We have sent a follow up to the snipe/snipe-it team. We will try again in 7 days. a year ago
snipe validated this vulnerability a year ago
lekhang123lc has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe marked this as fixed in 5.3.10 with commit bdabbb a year ago
snipe has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation