Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrKstarkloff81C6B974-D0B3-410B-A902-8324A55B1368
HistoryJan 09, 2022 - 7:39 p.m.

Improper Access Control in snipe/snipe-it

2022-01-0919:39:11
kstarkloff
www.huntr.dev
8

EPSS

0.001

Percentile

21.4%

JSON

Description

A user with no rights for API tokens can view the page where API tokens can be generated and can generate API tokens.

Proof of Concept

  • Create a user with no permission for anything (i.e. everything on deny).

  • Log in with this user to the web application.

  • Visit http://127.0.0.1:8000/account/api => The user can see and generate personal API tokens even the user has no rights for it.

Impact

The impact trends to be low as the user sees / generates his own API tokens. If the page would have some other serious errors, the attacker could from this point on doing more stuff.

Related

cvelist 1
cnvd 1
osv 2
prion 1
github 1
cve 1
nvd 1
cvelist
cvelist
CVE-2022-0178 Missing Authorization in snipe/snipe-it
2022-01-13 22:25:11
cnvd
cnvd
snipe-it Access Control Error Vulnerability (CNVD-2022-08381)
2022-01-17 00:00:00
osv
osv
Improper Access Control in snipe-it
2022-01-26 20:24:23
CVE-2022-0178
2022-01-13 23:15:07
prion
prion
Authorization
2022-01-13 23:15:00
github
github
Improper Access Control in snipe-it
2022-01-26 20:24:23
cve
cve
CVE-2022-0178
2022-01-13 23:15:07
nvd
nvd
CVE-2022-0178
2022-01-13 23:15:07

EPSS

0.001

Percentile

21.4%

JSON
Related for 81C6B974-D0B3-410B-A902-8324A55B1368
cvelist1cnvd1osv2prion1github1cve1nvd1