CVE-2022-1155

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 5.3.10 Snipe-IT versions 5.4.1 and 6.0.0-RC-5

Description The issue arises from the fact that old sessions are not blocked by the login enable function, and active sessions are not revoked when a user account is disabled. This allows a disabled user to still access information they should no longer be able to access.

Recommendations For Snipe-IT versions prior to 5.3.10, update to version 5.3.10 or later. For Snipe-IT versions 5.4.1 and 6.0.0-RC-5, update to version 6.0.0-RC-6 or 5.4.2. As a temporary workaround, consider using the KillAllSessions console command, clearing the contents of the storage/framework/sessions directory, or changing the cookie name to mitigate the issue, but be aware that these options will logout all users.