Vulnerability Details CVE-2024-51094
An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the injected payload will be executed, allowing the attacker to exfiltrate internal system data from the CSV file to a remote server.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 22.9%
CVSS Severity
CVSS v3 Score 8.0
Products affected by CVE-2024-51094
-
cpe:2.3:a:snipeitapp:snipe-it:7.0.13