CVE-2024-51093

Vulnerability

Description A Stored Cross-Site Scripting (XSS) vulnerability exists in Snipe-IT version 7.0.13 [1]. The application fails to properly sanitize XML file uploads, allowing an attacker to embed malicious JavaScript code within an XML file [3]. When the file is uploaded and subsequently viewed by an authorized user, the script executes in the browser context.

Exploitation

To exploit this vulnerability, an attacker must upload a specially crafted XML file containing JavaScript payloads [3]. The attack can be performed by any authenticated user with file upload privileges, typically through asset import functionality. No special network position is required; the attacker only needs access to the Snipe-IT web interface.

Impact

Successful exploitation results in privilege escalation, granting the attacker super admin permissions within the Snipe-IT system [1]. This gives full control over all assets, licenses, users, and configuration, potentially leading to data breaches, system compromise, and further lateral movement within the network.

Mitigation

The vendor has been notified and a fix is expected in a future release [2]. Users are strongly advised to update Snipe-IT to the latest patched version as soon as it becomes available. In the interim, restrict XML file upload capabilities and review uploaded files manually. The vulnerability has been assigned CWE-79 and CVE-2024-51093 [3].