Snipe-IT Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Snipe-IT web-based asset management system, specifically in versions 8.3.0 prior to 8.3.2. This vulnerability allows authenticated users with minimal privileges to inject arbitrary JavaScript into the 'First Name' and 'Last Name' fields of their profile. The injected script is executed when the 'Activity Report' or the modified profile is viewed by users with the appropriate permissions. Successful exploitation requires that the profile's 'Display Name' is not set.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the affected profile or activity report.

Reproduction

To reproduce this vulnerability, log into Snipe-IT and navigate to the profile dropdown menu. Select 'Edit Your Profile' and enter a JavaScript payload into the 'First Name' or 'Last Name' fields. Ensure that the 'Display Name' field is unset. After saving the profile, the JavaScript payload will execute when the 'Activity Report' is viewed or when the modified profile is accessed through the 'People' tab or directly via the 'History' tab.

Remediation

Users can update to Snipe-IT version 8.3.2 or later to address this vulnerability.