CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

Valid

**Description**

CSRF in custom field settings

**Proof of Concept**

    <img src="http://<SNIPE_IT_APP>/fields/1/fieldset/1/disassociate">
    <img src="http://<SNIPE_IT_APP>/fields/required/3/3">
    <img src="http://<SNIPE_IT_APP>/fields/optional/3/3">
    

**Impact**

This vulnerability is capable of trick admin user to modify custom forms

**Occurences**

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 8 days ago

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We have contacted a member of the snipe/snipe-it team and are waiting to hear back 7 days ago

![](https://avatars.githubusercontent.com/u/197404?v=4)

snipe validated this vulnerability 7 days ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/197404?v=4)

snipe confirmed that a fix has been merged on 0d811d 7 days ago

snipe has been awarded the fix bounty

Headline

CVE-2021-3931: huntr: Cross-Site Request Forgery (CSRF) PHP Vulnerability in snipe-it

CVE: Latest News