42 matches found
CVE-2024-5685 Broken Function Level Authorization (BFLA) in snipe/snipe-it
Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through v6.4.1...
CVE-2023-5511
Cross-Site Request Forgery CSRF in GitHub repository snipe/snipe-it prior to v.6.2.3...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF in GitHub repository snipe/snipe-it prior to v.6.2.3...
CVE-2023-5511 Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Cross-Site Request Forgery CSRF in GitHub repository snipe/snipe-it prior to v.6.2.3...
CVE-2023-5511 Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Cross-Site Request Forgery CSRF in GitHub repository snipe/snipe-it prior to v.6.2.3...
CVE-2023-5511 Cross-Site Request Forgery (CSRF) in snipe/snipe-it
Cross-Site Request Forgery CSRF in GitHub repository snipe/snipe-it prior to v.6.2.3...
CVE-2023-5452
Cross-site Scripting XSS - Stored in GitHub repository snipe/snipe-it prior to v6.2.2...
Cross site scripting
Cross-site Scripting XSS - Stored in GitHub repository snipe/snipe-it prior to v6.2.2...
CVE-2023-5452
Snipe-IT is affected by a stored cross-site scripting (XSS) vulnerability in versions prior to 6.2.2. Public records describe the issue as affecting the location endpoint (and possibly assets) with stored payloads that can execute script when viewed by another user. A PoC exists in 6.2.1 (and rel...
CVE-2023-5452 Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Cross-site Scripting XSS - Stored in GitHub repository snipe/snipe-it prior to v6.2.2...
CVE-2023-5452 Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Cross-site Scripting XSS - Stored in GitHub repository snipe/snipe-it prior to v6.2.2...
Authentication flaw
Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10...
CVE-2022-3173
CVE-2022-3173 affects Snipe-IT prior to 6.0.10. The issue is improper authentication/authorization, allowing a user with only limited license-view permissions to access files uploaded to licenses and, per sources, to create API keys despite lacking permission. Documents indicate a remote authenti...
CVE-2022-3035
Cross-site Scripting XSS - Stored in GitHub repository snipe/snipe-it prior to v6.0.11...
CVE-2022-3035
CVE-2022-3035 is a Stored XSS vulnerability affecting Snipe-IT prior to version 6.0.11. Multiple sources (NVD/NVD-listed entry, OSV, Veracode, CVE list) consistently describe Cross-site Scripting in the web app, originating from insufficient escaping/input handling in the UI when processing user ...
CVE-2022-3035 Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Cross-site Scripting XSS - Stored in GitHub repository snipe/snipe-it prior to v6.0.11...
CVE-2022-3035 Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Cross-site Scripting XSS - Stored in GitHub repository snipe/snipe-it prior to v6.0.11...
CVE-2022-2997 Session Fixation in snipe/snipe-it
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10...
Host Header Injection
snipe/snipe-it is vulnerable to host header injection. An attacker is able to reset the password and take over an user account by luring the victim to an attacker controlled server via a maliciously crafted password request link...
Authorization
Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4...