Package Instance

Snipe-IT has sensitive user attributes related to account privileges that are insufficiently protected against mass assignment
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset, an attacker can fully take over the Super Admin account, resulting in complete administrative control of the Snipe-IT instance.

Business Logic Error
Old sessions are not blocked by the login enable function in GitHub repository snipe/snipe-it prior to 5.3.10.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and the user's last name in the API.

Snipe-IT has an open redirect vulnerability
Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.

### Impact

-   **Phishing**: Redirect users to fake login pages to steal credentials
-   **Session Hijacking**: Redirect to attacker site that captures session cookies via JavaScript
-   **Malware Distribution**: Redirect to sites hosting malware or drive-by downloads
-   **Reputation Damage**: Users lose trust when redirected to malicious sites from legitimate application
-   **Social Engineering**: Use trusted Snipe-IT domain to increase phishing success rate

When the user clicks "Save", the application: 
1. Processes the form 
2. Checks `redirect_option` (if set to 'back') 
3. Calls `Helper::getRedirectOption()` 
4. Retrieves `back_url` from session: `https://evil.com/phishing?target=snipeit` 
5. Executes `redirect()->to($backUrl)` 
6. User is redirected to attacker's site

This would still require session poisoning, so the actual practical threat here is minimal. 

### Patches
Patched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1.

### Workarounds
 None.

### Resources
-   CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
-   OWASP: Unvalidated Redirects and Forwards
-   Laravel Security: Safe Redirects

[snipeit_open_redirect_submission.md](https://github.com/user-attachments/files/27414869/snipeit_open_redirect_submission.md)

Snipe-IT has Privilege Escalation via API Permissions Assignment
### Impact
An authenticated user with only `users.edit` permission can escalate their own privileges to `admin` by sending a PATCH request to `/api/v1/users/{id}` with `permissions[admin]=1`. The API controller only strips the `superuser` key from the permissions array, allowing `admin` and all other permission keys to be set by any user who can update users.

### Patches
Patched in https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569, fix was released in v8.4.1

### Workarounds
None.