VYPR
← All advisories
High severityNVD Advisory· Published Oct 11, 2023· Updated Sep 18, 2024

Cross-Site Request Forgery (CSRF) in snipe/snipe-it

CVE-2023-5511

Description

Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CSRF in Snipe-IT asset management prior to v6.2.3 allows attackers to trigger unauthorized actions via a crafted request.

What the vulnerability is

CVE-2023-5511 is a Cross-Site Request Forgery (CSRF) vulnerability in the Snipe-IT asset management application prior to version 6.2.3 [1][3]. The root cause is the absence of proper CSRF protection on the sentAssetAcceptanceReminder endpoint, which previously accepted a direct parameter from the URL (GET-like) rather than requiring a POST with a CSRF token [2].

How it is exploited

An attacker can craft a malicious link or form that, when visited by an authenticated Snipe-IT user with sufficient privileges, triggers the sentAssetAcceptanceReminder action without the user's consent. The vulnerability was addressed by changing the endpoint to accept only POST requests and by reading the acceptance_id from the request body, which allows for CSRF token validation [2][4].

Impact

Successful exploitation could allow an attacker to perform actions on behalf of the victim, such as sending asset acceptance reminders to users, potentially leading to unauthorized notifications or manipulation of asset checkout records [2][4].

Mitigation

The vulnerability is fixed in Snipe-IT version 6.2.3 [1][3]. Users should upgrade to this version or later to eliminate the CSRF risk. There are no known workarounds; applying the patch is the recommended action.

References
  1. GitHub - grokability/snipe-it: A free open source IT asset/license management system
  2. Set resend acceptance to POST · grokability/snipe-it@6d55d78
  3. NVD - CVE-2023-5511
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
snipe/snipe-itPackagist
< 6.2.36.2.3

Affected products

2

Patches

1
6d55d782806c

Set resend acceptance to POST

https://github.com/snipe/snipe-itsnipeOct 9, 2023via ghsa
commit
3 files changed · +29 7
  • app/Http/Controllers/ReportsController.php+13 3 modified
    @@ -1043,27 +1043,37 @@ public function getAssetAcceptanceReport($deleted = false)
      * @throws \Illuminate\Auth\Access\AuthorizationException
      * @version v1.0
      */
-    public function sentAssetAcceptanceReminder($acceptanceId = null)
+    public function sentAssetAcceptanceReminder(Request $request)
     {
         $this->authorize('reports.view');
 
-        if (!$acceptance = CheckoutAcceptance::pending()->find($acceptanceId)) {
+        if (!$acceptance = CheckoutAcceptance::pending()->find($request->input('acceptance_id'))) {
+            \Log::debug('No pending acceptances');
             // Redirect to the unaccepted assets report page with error
             return redirect()->route('reports/unaccepted_assets')->with('error', trans('general.bad_data'));
         }
+
         $assetItem = $acceptance->checkoutable;
 
+        \Log::debug(print_r($assetItem, true));
+
         if (is_null($acceptance->created_at)){
+            \Log::debug('No acceptance created_at');
             return redirect()->route('reports/unaccepted_assets')->with('error', trans('general.bad_data'));
         } else {
             $logItem_res = $assetItem->checkouts()->where('created_at', '=', $acceptance->created_at)->get();
+
+            \Log::debug('Acceptance created at: '.$acceptance->created_at);
+            \Log::debug(print_r($logItem_res, true));
+
             if ($logItem_res->isEmpty()){
+                \Log::debug('Acceptance date mismatch');
                 return redirect()->route('reports/unaccepted_assets')->with('error', trans('general.bad_data'));
             }
             $logItem = $logItem_res[0];
         }
 
-        if(!$assetItem->assignedTo->locale){
+        if (!$assetItem->assignedTo->locale){
             Notification::locale(Setting::getSettings()->locale)->send(
                 $assetItem->assignedTo,
                 new CheckoutAssetNotification($assetItem, $assetItem->assignedTo, $logItem->user, $acceptance, $logItem->note)
  • resources/views/reports/unaccepted_assets.blade.php+14 2 modified
    @@ -77,11 +77,23 @@ class="table table-striped snipe-table"
                     <td>{!! $item['assetItem']->present()->nameUrl() !!}</td>
                     <td>{{ $item['assetItem']->asset_tag }}</td>
                     <td @if($item['acceptance']->assignedTo === null || $item['acceptance']->assignedTo->trashed()) style="text-decoration: line-through" @endif>{!! ($item['acceptance']->assignedTo) ? $item['acceptance']->assignedTo->present()->nameUrl() : trans('admin/reports/general.deleted_user') !!}</td>
-                    <td>
+                    <td class="white-space: nowrap;">
+                        <nobr>
                         @if(!$item['acceptance']->trashed())
-                            @if ($item['acceptance']->assignedTo)<a href="{{ route('reports/unaccepted_assets_sent_reminder', ['acceptanceId' => $item['acceptance']->id]) }}" class="btn btn-sm bg-purple" data-tooltip="true">{{ trans('admin/reports/general.send_reminder') }}</a>@endif
+                           <form method="post" class="white-space: nowrap;" action="{{ route('reports/unaccepted_assets_sent_reminder') }}">
+                            @if ($item['acceptance']->assignedTo)
+                                @csrf
+                               <input type="hidden" name="acceptance_id" value="{{ $item['acceptance']->id }}">
+                                <button class="btn btn-sm btn-warning" data-tooltip="true" data-title="{{ trans('admin/reports/general.send_reminder') }}">
+                                    <i class="fa fa-repeat" aria-hidden="true"></i>
+                                </button>
+
+                            @endif
                             <a href="{{ route('reports/unaccepted_assets_delete', ['acceptanceId' => $item['acceptance']->id]) }}" class="btn btn-sm btn-danger delete-asset" data-tooltip="true" data-toggle="modal" data-content="{{ trans('general.delete_confirm', ['item' =>trans('admin/reports/general.acceptance_request')]) }}" data-title="{{  trans('general.delete') }}" onClick="return false;"><i class="fa fa-trash"></i></a>
+                           </form>
                         @endif
+
+                        </nobr>
                     </td>
                   </tr>
                   @endif
  • routes/web.php+2 2 modified
    @@ -368,8 +368,8 @@
         'reports/unaccepted_assets/{deleted?}',
         [ReportsController::class, 'getAssetAcceptanceReport']
     )->name('reports/unaccepted_assets');
-    Route::get(
-        'reports/unaccepted_assets/{acceptanceId}/sent_reminder',
+    Route::post(
+        'reports/unaccepted_assets/sent_reminder',
         [ReportsController::class, 'sentAssetAcceptanceReminder']
     )->name('reports/unaccepted_assets_sent_reminder');
     Route::delete(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.