Snipeitapp: >> Snipe-It >> 3.6.4 Security Vulnerabilities
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
CVSS Score
5.0
EPSS Score
0.004
Published
2025-05-02
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.
CVSS Score
6.6
EPSS Score
0.01
Published
2024-10-11
Cross-Site Request Forgery (CSRF) in GitHub repository snipe/snipe-it prior to v.6.2.3.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-10-11
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.2.2.
CVSS Score
5.5
EPSS Score
0.001
Published
2023-10-06
Snipe-IT through 6.0.14 allows attackers to check whether a user account exists because of response variations in a /password/reset request.
CVSS Score
5.3
EPSS Score
0.001
Published
2022-12-25
Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-12-25
Improper Authentication in GitHub repository snipe/snipe-it prior to 6.0.10.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-09-17
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
CVSS Score
5.9
EPSS Score
0.001
Published
2022-08-29
Session Fixation in GitHub repository snipe/snipe-it prior to 6.0.10.
CVSS Score
4.6
EPSS Score
0.009
Published
2022-08-25
In Snipe-IT, versions v3.0-alpha to v5.3.7 are vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This leads to account take over.
CVSS Score
8.8
EPSS Score
0.004
Published
2022-05-02
Page 1