Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulner
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except a
Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the i
Snipe-IT before version 8.3.3 contains a remote code execution vulnerability that allows an authenticated attacker to upload a malicious backup file containing arbitrary files and execute system comma
Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repositor
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing JavaScript code. This can lead to privilege escalation when the paylo
Snipe-IT before 8.1.18 allows XSS.
An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the P
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can cr
Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script t
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers
Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, t
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and accou
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message
Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open
Page 1+ Next →