Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. NOTE: this is disputed by the Supplier because the report only demonstrates that an authenticated user can choose to conduct a man-in-the-middle attack against himself.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Snipe-IT 安全漏洞
Vulnerability Description
Snipe-IT是Grokability开源的一套开源IT资产/许可证管理系统。 Snipe-IT v8.3.4版本存在安全漏洞,该漏洞源于CSV导入工作流中存在反射型跨站脚本,可能导致执行任意JavaScript。
CVSS Information
N/A
Vulnerability Type
N/A