Snipeitapp: >> Snipe-It >> 7.0.13 Security Vulnerabilities
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
CVSS Score
5.0
EPSS Score
0.004
Published
2025-05-02
Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing JavaScript code. This can lead to privilege escalation when the payload is executed, granting the attacker super admin permissions within the Snipe-IT system.
CVSS Score
8.7
EPSS Score
0.0
Published
2024-11-12
An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the injected payload will be executed, allowing the attacker to exfiltrate internal system data from the CSV file to a remote server.
CVSS Score
8.0
EPSS Score
0.001
Published
2024-11-12