Headline
CVE-2022-32061: Snipe-IT Version v6.0.2 — Malicious File Upload - GrimTheRipper - Medium
An arbitrary file upload vulnerability in the Select User function under the People Menu component of Snipe-IT v6.0.2 allows attackers to execute arbitrary code via a crafted file.
Description
# An Issue is discoverd in Snipe-IT Version v6.0.2.
# This exploit allow you to upload malicious files on server.
# We found malicious file upload when we upload file at the People menu.
Payload Attack
Proof of Concept
First, we login to the target application with admin privileges.
Then select People Menu and select User.
after that click Upload.
select malicious files to upload.
then select File Uploads Tab it will show malicious files
if someone try to download and open it the payload will be excuted.
We found the XSS!
Author
Grim The Ripper Team by SOSECURE Thailand