Old sessions are not blocked by the login enable function. in snipe/snipe-it
Mar 25th 2022
If you disable logic function of an user, that user can still login by using their old session.
Proof of Concept
Step 1: login to dashboard by a normal account.
Step 2: use a diffrent browser to login as admin
Step 3: make the normal account in step 1 unable to login.
Step 4: return to the browser login the normal account and refresh. You can see that this user can still login and use website's feature like create asset (if this account has permission)
This could make leaked data.
snipe validated this vulnerability a year ago
lekhang123lc has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation