Lucene search
K
SnipeitappSnipe-it

62 matches found

CVE
CVE
added 2022/02/14 7:0 p.m.127 views

CVE-2022-0579

The CVE-2022-0579 entry concerns Snipe-IT (Packagist snipe/snipe-it) before version 5.3.9. Several connected sources confirm an improper privilege management flaw that allows a user without access to the supplier module to view supplier content, indicating a privilege-related exposure rather than...

6.5CVSS6.3AI score0.01033EPSS
CVE
CVE
added 2022/02/17 2:5 a.m.123 views

CVE-2022-0622

Affected software: snipe-it (Packagist package snipe/snipe-it). Vulnerability: Generation of an error message containing sensitive information in Snipe-IT prior to version 5.3.11, leading to information exposure. Root cause/impact: The error handling path in the application reveals sensitive data...

5.3CVSS5.1AI score0.00988EPSS
CVE
CVE
added 2022/02/12 11:55 p.m.122 views

CVE-2022-0569

CVE-2022-0569 affects snipe/snipe-it, prior to v5.3.9, with an information-disclosure flaw caused by differences in password-reset responses that can enumerate registered user emails. Impact is information disclosure (email enumeration) and potential brute-force risk implied by exposed email list...

5.3CVSS4.8AI score0.01041EPSS
CVE
CVE
added 2022/02/15 11:30 p.m.121 views

CVE-2022-0611

CVE-2022-0611 concerns an elevation of privilege in the open-source asset management solution Snipe-IT . The vulnerability stems from missing/ improper authorization (privilege management) in versions prior to 5.3.11 , allowing an unprivileged user to perform maintenance-related actions for asset...

8.8CVSS8.1AI score0.012EPSS
CVE
CVE
added 2022/03/30 12:20 p.m.103 views

CVE-2022-1155

CVE-2022-1155 affects Snipe-IT, where the login enable function does not revoke/block old sessions in versions prior to 5.3.10. Exploitation could allow continuing access by existing sessions after a role/account change. Public details indicate fixes: 5.4.2 and 6.0.0-RC-6 (and later releases). Re...

7.4CVSS7.4AI score0.00977EPSS
CVE
CVE
added 2022/04/28 12:0 a.m.103 views

CVE-2022-1511

CVE-2022-1511 affects snipe/snipe-it prior to 5.4.4, due to Missing Authorization / Improper Access Control. Exploitation allows unauthorized access to the GitHub repository assets and data exposed by insufficient access controls. The issue is documented across multiple sources (GitHub advisory G...

6.5CVSS6.4AI score0.00994EPSS
CVE
CVE
added 2022/05/02 12:30 p.m.101 views

CVE-2022-23064

Snipe-IT (versions v3.0-alpha to v5.3.7) is affected by a Host Header Injection vulnerability. A specially crafted Host header in the reset password request can cause password reset links to be sent to an attacker-controlled server, enabling leakage of password reset tokens and potentially result...

8.8CVSS8.6AI score0.01264EPSS
CVE
CVE
added 2024/06/14 9:54 a.m.101 views

CVE-2024-5685

CVE-2024-5685 affects Snipe-IT (versions v4.6.17–v6.4.1). The root cause is missing authorization checks in the API endpoint that allows users with User:edit and Self:api permissions to modify group memberships, enabling promotion/demotion of users. Remediation: upgrade to v6.4.2 or later (as ref...

8.1CVSS7.5AI score0.00407EPSS
CVE
CVE
added 2023/10/11 12:0 a.m.100 views

CVE-2023-5511

CVE-2023-5511 : Cross-Site Request Forgery in the GitHub repository snipe/snipe-it prior to v6.2.3. The weakness is triggered by CSRF in the snipe-it web app, with analysis across sources indicating the issue derives from request handling for the resend remainder acceptance option (defaulting to ...

8.8CVSS7.5AI score0.00265EPSS
CVE
CVE
added 2022/01/13 10:25 p.m.99 views

CVE-2022-0178

CVE-2022-0178 affects snipe-it (Snipe-IT). Multiple connected sources describe a Missing Authorization/ improper Access Control vulnerability where users with no system permissions can see and create personal access tokens. Affected versions are prior to 5.3.8. Remediation: update to 5.3.8 or lat...

6.3CVSS5.8AI score0.00664EPSS
CVE
CVE
added 2022/07/07 12:0 a.m.98 views

CVE-2022-32060

CVE-2022-32060 affects Snipe-IT 6.0.2, with an arbitrary file upload vulnerability in the Update Branding Settings component. Connected sources attribute the root cause to inadequate validation in the Update Branding Settings handling (store function), enabling an attacker to upload a crafted fil...

4.8CVSS5.6AI score0.01114EPSS
CVE
CVE
added 2022/04/24 2:30 p.m.94 views

CVE-2022-1445

Snipe-IT (open source IT asset/license management) is affected by CVE-2022-1445: a stored XSS vulnerability in the checked_out_to parameter, caused by unescaped input, allowing an attacker to steal user cookies. It impacts versions before 5.4.3. remediation is to upgrade to 5.4.3 or apply the pro...

9CVSS5.6AI score0.00765EPSS
CVE
CVE
added 2024/10/11 12:0 a.m.92 views

CVE-2024-48987

CVE-2024-48987 affects Snipe-IT prior to 7.0.10. The vulnerability enables remote code execution through cookie handling when an attacker knows the APP_KEY, with risk amplified by default APP_KEY values in .env files in the repository. Affected component is the cookie deserialization path; root c...

6.6CVSS8.1AI score0.00962EPSS
CVE
CVE
added 2022/04/16 11:30 a.m.88 views

CVE-2022-1380

CVE-2022-1380 is a Stored Cross-Site Scripting vulnerability in the snipe-it project’s Item name parameter, affecting all versions prior to 5.4.3. The root cause is unsanitized item name input that can execute injected scripts and potentially steal user cookies, enabling session hijacking. Public...

9.1CVSS5.6AI score0.00834EPSS
CVE
CVE
added 2022/08/25 8:30 p.m.87 views

CVE-2022-2997

CVE-2022-2997 affects the Snipe-IT project (snipe/snipe-it) prior to 6.0.10. Root cause: a session-fixation issue where the session is not invalidated after a password change. Impact: could enable unauthorized access to user accounts if exploited. Remediation: upgrade to version 6.0.10 or later; ...

8CVSS6AI score0.00674EPSS
CVE
CVE
added 2022/08/29 7:35 p.m.85 views

CVE-2022-3035

CVE-2022-3035 is a Stored XSS vulnerability affecting Snipe-IT prior to version 6.0.11. Multiple sources (NVD/NVD-listed entry, OSV, Veracode, CVE list) consistently describe Cross-site Scripting in the web app, originating from insufficient escaping/input handling in the UI when processing user ...

5.9CVSS4.9AI score0.00595EPSS
CVE
CVE
added 2024/11/12 12:0 a.m.84 views

CVE-2024-51093

CVE-2024-51093 is a Stored XSS vulnerability in Snipe-IT 7.0.13 where an attacker can upload a malicious XML file containing JavaScript. The payload can execute in the victim’s browser and, as described across sources, may enable privilege escalation to a super admin. Affected component is the fi...

8.7CVSS5.5AI score0.00402EPSS
CVE
CVE
added 2022/07/07 10:12 p.m.81 views

CVE-2022-32061

CVE-2022-32061 affects Snipe-IT v6.0.2: the vulnerability is an arbitrary file upload in the Select User function under the People Menu component, enabling an attacker to execute arbitrary code via a crafted file. The connected sources confirm the affected product and the basic impact but do not ...

4.8CVSS5.6AI score0.00634EPSS
CVE
CVE
added 2025/05/02 12:0 a.m.80 views

CVE-2025-47226

Grokability Snipe-IT (Snipe-IT)

5CVSS7.1AI score0.01189EPSS
Web
CVE
CVE
added 2022/01/12 12:0 a.m.79 views

CVE-2022-0179

CVE-2022-0179 – snipe-it : A Missing Authorization flaw (faulty access control) in snipe-it, an open-source IT asset/license management system. The vulnerability is described with partial confidentiality/integrity impact (C:L/I:L) and no availability impact in the NVD metrics, and is classified u...

6.3CVSS5.5AI score0.00639EPSS
CVE
CVE
added 2022/12/25 12:0 a.m.77 views

CVE-2022-44381

Snipe-IT (open source IT asset/license management) up to version 6.0.14 is affected. The vulnerability arises from response variations in the /password/reset endpoint that allow an attacker to determine whether a given user account exists (user enumeration). Impact is limited to information discl...

5.3CVSS5.2AI score0.00646EPSS
Web
CVE
CVE
added 2021/10/19 12:30 p.m.76 views

CVE-2021-3879

CVE-2021-3879 affects snipe-it and is caused by improper neutralization of input during web page generation, leading to Cross-site Scripting (XSS). Multiple connected records corroborate a client-side data validation weakness in the web app, with impact described as disclosure/intrusion via injec...

6.8CVSS5.5AI score0.00803EPSS
CVE
CVE
added 2022/09/17 6:50 a.m.74 views

CVE-2022-3173

CVE-2022-3173 affects Snipe-IT prior to 6.0.10. The issue is improper authentication/authorization, allowing a user with only limited license-view permissions to access files uploaded to licenses and, per sources, to create API keys despite lacking permission. Documents indicate a remote authenti...

4.3CVSS4.5AI score0.0072EPSS
CVE
CVE
added 2021/11/13 8:35 a.m.72 views

CVE-2021-3938

CVE-2021-3938 affects the open-source asset management web app Snipe-IT with a Cross-site Scripting (XSS) vulnerability. The issue stems from lack of proper filtering/escaping of user-submitted data in the AssetsController, enabling injection in web page generation. Public details cover the affec...

5.4CVSS4.7AI score0.00521EPSS
CVE
CVE
added 2022/12/25 12:0 a.m.72 views

CVE-2022-44380

Snipe-IT prior to version 6.0.14 is affected by a Cross Site Scripting (XSS) vulnerability when viewing assigned assets. The issue is documented across multiple feeds (CVE-2022-44380) and is addressed by upgrading to Snipe-IT 6.0.14 or later, per Red Hat advisory and NCSC release notes indicating...

5.4CVSS5.2AI score0.00488EPSS
CVE
CVE
added 2021/12/06 8:20 p.m.70 views

CVE-2021-4075

CVE-2021-4075 (snipe/snipe-it) is corroborated across multiple sources as a Server-Side Request Forgery (SSRF) issue. The connected advisories identify the vulnerability as exploitable via the Slack integration, enabling blind POST-based SSRF where an attacker with admin access could issue reques...

7.2CVSS5.2AI score0.00893EPSS
CVE
CVE
added 2021/11/13 8:50 a.m.68 views

CVE-2021-3931

CVE-2021-3931 is a CSRF vulnerability reported for Snipe-IT (open source IT asset/license management software). The connected records consistently describe CSRF in Snipe-IT due to a lack of CSRF checks/token for POST requests, notably in the view.blade.php file, enabling cross-site request forger...

4.3CVSS4.5AI score0.00429EPSS
CVE
CVE
added 2021/11/19 11:55 a.m.68 views

CVE-2021-3961

CVE-2021-3961 refers to a cross-site scripting (XSS) vulnerability in the snipe-it project (Snipe-IT). The issue arises from improper neutralization/validation of input during web page generation, allowing crafted data to be reflected in client-side context. Multiple connected sources (including ...

8CVSS5.7AI score0.00731EPSS
CVE
CVE
added 2021/10/19 12:30 p.m.64 views

CVE-2021-3863

CVE-2021-3863 affects the open-source asset management app Snipe-IT . The connected documents consistently describe it as a vulnerability of Improper Neutralization of Input During Web Page Generation (XSS) , caused by insecure handling of input that leads to arbitrary JavaScript execution via we...

6.1CVSS5.8AI score0.00764EPSS
CVE
CVE
added 2021/10/19 12:30 p.m.62 views

CVE-2021-3858

CVE-2021-3858 affects the snipe-it project (an open-source IT asset/license management system) and is a Cross-Site Request Forgery (CSRF) vulnerability. Public scoring in CVSSv3.1 is 8.8 (HIGH) with AV:N, AC:L, PR:N, UI:R, C:H, I:H, A:H; CVSSv2 is 6.8 (MEDIUM). The connected documents consistentl...

8.8CVSS6.4AI score0.00526EPSS
CVE
CVE
added 2023/10/06 7:27 p.m.60 views

CVE-2023-5452

Snipe-IT is affected by a stored cross-site scripting (XSS) vulnerability in versions prior to 6.2.2. Public records describe the issue as affecting the location endpoint (and possibly assets) with stored payloads that can execute script when viewed by another user. A PoC exists in 6.2.1 (and rel...

5.5CVSS5.2AI score0.00527EPSS
Web
CVE
CVE
added 2021/12/10 7:15 p.m.59 views

CVE-2021-4089

Snipe-IT is affected by an Improper Access Control vulnerability (CVE-2021-4089) affecting versions prior to 5.3.4. The issue arises because regular users with DENY to all models permissions can still view model data via the /models/{id}/clone endpoint due to missing authorize('view') checks. Imp...

4.3CVSS4.4AI score0.00697EPSS
CVE
CVE
added 2021/12/18 4:40 a.m.59 views

CVE-2021-4130

CVE-2021-4130 describes a Cross-Site Request Forgery (CSRF) vulnerability in the open-source asset management app snipe-it . The connected records confirm the issue across multiple sources but do not provide concrete details on affected versions or affected components beyond the CSRF label. CVSS ...

8.8CVSS6.4AI score0.00463EPSS
CVE
CVE
added 2024/11/12 12:0 a.m.59 views

CVE-2024-51094

CVE-2024-51094 affects Snipe-IT v7.0.13 build 15514. A low-privileged attacker can modify their profile Name field to inject a malicious payload; when an administrator uses the People Management page to export data as CSV and opens it, the payload can exfiltrate internal data from the CSV to a re...

8CVSS6.5AI score0.00429EPSS
CVE
CVE
added 2021/12/01 10:0 a.m.56 views

CVE-2021-4018

CVE-2021-4018 is a stored Cross-site Scripting (XSS) vulnerability affecting snipe-it. Public sources describe an XSS flaw in the web page generation path, with the vulnerability located in checkout/notes handling (notably via AccessoriesTransformer.php/transformCheckedoutAccessory) that allows i...

6.3CVSS5.5AI score0.00635EPSS
CVE
CVE
added 2021/12/14 8:10 p.m.54 views

CVE-2021-4108

CVE-2021-4108 affects the open-source asset management platform snipe-it . The vulnerability is a Cross-site Scripting (XSS) caused by Improper Neutralization of Input During Web Page Generation in the web interface. This is described across connected sources as a stored XSS issue in snipe-it, wi...

6.4CVSS6.1AI score0.00764EPSS
CVE
CVE
added 2019/03/27 3:54 a.m.49 views

CVE-2019-10118

CVE-2019-10118 relates to Snipe-IT, where versions before 4.6.14 are vulnerable to cross-site scripting (XSS) via log_meta values and the user’s last name in the API. The issue is a client-side input handling flaw that permits injection of arbitrary JavaScript/HTML when data is displayed in a use...

6.1CVSS6.2AI score0.00847EPSS
CVE
CVE
added 2025/09/19 12:0 a.m.30 views

CVE-2025-59713

CVE-2025-59713 affects Snipe-IT before 8.1.18 and is caused by unsafe deserialization. Public references (Red Hat, OSV, CVE listings) and a PoC/exploit repository indicate potential exploitation paths and cross-reference CVE-2025-59712 as well. The vulnerability impacts confidentiality and integr...

8.1CVSS6.5AI score0.00349EPSS
CVE
CVE
added 2026/06/08 3:41 p.m.29 views

CVE-2026-48507

Snipe-IT (IT asset/license management system) has a vulnerability affecting versions before 8.6.0. A non-admin user with only the granular users.edit permission can lock out admins by editing the activated flag (login eligibility) and the ldap_import flag (password reset requests). The issue is f...

7.1CVSS5.5AI score0.00194EPSS
CVE
CVE
added 2025/09/19 12:0 a.m.26 views

CVE-2025-59712

CVE-2025-59712 affects Snipe-IT prior to 8.1.18 where an XSS vulnerability exists due to improper sanitization of the User-Agent field when a user updates their profile. The issue enables injection of arbitrary JavaScript in pages that render the user reports/activity data. A PoC/exploit exists d...

6.4CVSS6.5AI score0.00238EPSS
CVE
CVE
added 2026/03/06 4:16 p.m.25 views

CVE-2025-15602

Summary: CVE-2025-15602 affects Snipe-IT

8.8CVSS5.8AI score0.0046EPSS
CVE
CVE
added 2026/05/26 7:30 p.m.25 views

CVE-2026-44833

The CVE-2026-44833 affects Snipe-IT up to version 8.4.0, where an open redirect vulnerability arises from using an unvalidated HTTP Referer header stored in a session variable. When a user action triggers a redirect (e.g., Save with redirect option set to back), the application reads the back_url...

7.1CVSS5.8AI score0.00163EPSS
CVE
CVE
added 2026/05/26 7:29 p.m.24 views

CVE-2026-44832

Snipe-IT (asset/license management) contains a privilege-escalation vulnerability prior to version 8.4.1. An authenticated user with only users.edit permission can elevate themselves to admin by PATCHing /api/v1/users/{id} with permissions[admin]=1. The API controller erroneously strips only the ...

8.8CVSS5.8AI score0.00314EPSS
Web
CVE
CVE
added 2025/11/05 12:0 a.m.23 views

CVE-2025-63601

CVE-2025-63601 affects Snipe-IT prior to 8.3.3. An authenticated attacker can upload a malicious backup file (via the backup/restore flow) containing arbitrary files and then execute system commands, yielding remote code execution. The vulnerability is described as a remote code execution with a ...

9.9CVSS8AI score0.00587EPSS
CVE
CVE
added 2026/05/26 7:27 p.m.23 views

CVE-2026-44831

CVE-2026-44831 affects Snipe-IT, an IT asset/license management system. Prior to v8.4.1, users with component view access could trigger stored XSS via an unescaped notes field in the component checkout process. The issue is fixed in v8.4.1 or later. If you are using versions before 8.4.1, upgrade...

5.4CVSS5.6AI score0.00218EPSS
CVE
CVE
added 2025/12/01 12:0 a.m.21 views

CVE-2025-65622

Summary of CVE-2025-65622 (Snipe-IT): Snipe-IT versions prior to 8.3.4 are affected by a stored XSS flaw in the Locations “Country” field. An authenticated, low-privilege user can inject JavaScript that executes in another user’s session. Connected advisories corroborate the issue and identify th...

5.4CVSS5.5AI score0.00161EPSS
CVE
CVE
added 2026/05/07 12:0 a.m.21 views

CVE-2026-37709

The CVE-2026-37709 entry concerns an Insecure Permissions vulnerability in grokability snipe-it ≤ v8.4.0 (fixed after 2026-03-10, commit 676a9958). A remote attacker could execute arbitrary code via app/Http/Controllers/Api/UploadedFilesController.php. The NVD/CVE data indicate a high-severity im...

9.8CVSS6.2AI score0.00475EPSS
CVE
CVE
added 2026/06/23 10:11 p.m.18 views

CVE-2026-48493

Snipe-IT (IT asset/license management) is affected by CVE-2026-48493 through a privilege-escalation flaw in versions prior to 8.6.0. A user with only users.edit can PATCH /api/v1/users/{their_own_id} to grant themselves any permission except admin/superuser (e.g., assets.view, assets.create, repo...

5.5CVSS5.8AI score0.00182EPSS
Web
CVE
CVE
added 3 days ago17 views

CVE-2026-54329

Summary: CVE-2026-54329 affects Snipe-IT before 8.6.2, where the Accessories API can mass-assign the company_id field, enabling a low-privilege user in one company (with FMCS enabled) to create accessory records under another company. Root cause: API create path mass-assigns request parameters di...

8.5CVSS6.1AI score0.00389EPSS
CVE
CVE
added 5 days ago17 views

CVE-2026-55542

Snipe-IT prior to version 8.6.1 exposes a missing authorization check when retrieving S3 signature images. In S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the authorize() call used by the local-fi...

5.3CVSS6AI score0.00281EPSS
Total number of security vulnerabilities62