CVE-2024-51093

Name of the Vulnerable Software and Affected Versions: Snipe-IT version 7.0.13

Description: A Stored Cross-Site Scripting (XSS) issue allows an attacker to upload a malicious XML file containing JavaScript code, potentially leading to privilege escalation when the payload is executed. This could grant the attacker super admin permissions within the Snipe-IT system. The vulnerability can be exploited via an unknown part of the file /users/{{user-id}}/#files, allowing a remote attacker to escalate privileges.

Recommendations: For Snipe-IT version 7.0.13, consider disabling the file upload feature or restricting access to the /users/{{user-id}}/#files endpoint until a patch is available. Avoid using the user-id variable in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.