Improper Access Control in snipe/snipe-it

a year ago

haxatron submitted a

a year ago

commented a year ago

Researcher

Fix commit: https://github.com/Haxatron/snipe-it/commit/bb095641c2f421f744796d184287c46fc9303591

Let me know if you want a PR :)

We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago

haxatron modified the report

a year ago

commented a year ago

Researcher

note that fix is on master branch, not fix-access-control branch, also updated permalinks to reflect where all 4 issues occur

haxatron modified the report

a year ago

haxatron modified the report

a year ago

We have sent a follow up to the snipe/snipe-it team. We will try again in 7 days. a year ago

commented a year ago

Maintainer

You are a rock star <3 - can you PR this? It would be easier for me - if you can't, no worries, I'll sort it out.

commented a year ago

Researcher

Done - https://github.com/snipe/snipe-it/pull/10498

commented a year ago

Researcher

@maintainer, could you validate this? Thanks! :D

snipe validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Maintainer

Done,, and thanks :) You can call me snipe ;)

commented a year ago

Researcher

No problem snipe, happy to contribute to the security of your project. Once a new release is available, or when you are comfortable, could you submit the fix for this as well? That would be great! :)

snipe marked this as fixed in 5.3.6 with commit cf14a0 a year ago

haxatron has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the snipe/snipe-it team within 24 hours. a year ago

haxatron modified the report

a year ago

haxatron modified the report

a year ago

haxatron modified the report

a year ago

haxatron submitted a

a year ago

haxatron submitted a

a year ago

commented a year ago

Researcher

Fix commit: https://github.com/Haxatron/snipe-it/commit/bb095641c2f421f744796d184287c46fc9303591

Let me know if you want a PR :)

We have contacted a member of the snipe/snipe-it team and are waiting to hear back a year ago

haxatron modified the report

a year ago

commented a year ago

Researcher

note that fix is on master branch, not fix-access-control branch, also updated permalinks to reflect where all 4 issues occur

haxatron modified the report

a year ago

haxatron modified the report

a year ago

We have sent a follow up to the snipe/snipe-it team. We will try again in 7 days. a year ago

commented a year ago

Maintainer

You are a rock star <3 - can you PR this? It would be easier for me - if you can't, no worries, I'll sort it out.

commented a year ago

Researcher

Done - https://github.com/snipe/snipe-it/pull/10498

commented a year ago

Researcher

@maintainer, could you validate this? Thanks! :D

snipe validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Maintainer

Done,, and thanks :) You can call me snipe ;)