Snipe-IT Reflected Cross-Site Scripting Vulnerability in CSV Import Workflow

A reflected cross-site scripting vulnerability has been identified in Snipe-IT version 8.3.4 (build 20218) within the CSV import workflow. When an invalid CSV file is uploaded, the application generates a progress_message that is displayed as raw HTML in the admin interface. This vulnerability allows an attacker to intercept and modify the POST /livewire/update request, injecting arbitrary HTML or JavaScript into the progress_message. The server reflects this unvalidated input back to the user, enabling the execution of injected JavaScript in the browser of any authenticated admin who views the import page.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript with admin privileges, potentially leading to the installation of malicious browser-based payloads and unauthorized alterations of Snipe-IT assets, users, or settings.

Reproduction

To reproduce this vulnerability, log into Snipe-IT as an admin and navigate to the Admin → Import section. Upload an intentionally invalid CSV file. Intercept the POST request to /livewire/update and modify the progress_message value to include a JavaScript payload, such as an alert. Allow the request to proceed, and when the admin returns to the import status view, the injected JavaScript will execute.

Remediation

Users are advised to upgrade to Snipe-IT version 8.3.5 or later, where this vulnerability has been addressed.