CVE-2024-51094

Name of the Vulnerable Software and Affected Versions: Snipe-IT version 7.0.13 build 15514

Description: The issue allows a low-privileged attacker to modify their profile name and inject a malicious payload into the Name field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the injected payload will be executed, allowing the attacker to exfiltrate internal system data from the CSV file to a remote server.

Recommendations: For Snipe-IT version 7.0.13 build 15514, as a temporary workaround, consider restricting access to the Name field in the profile management section to prevent malicious payload injection until a patch is available. Additionally, restrict the export of data as CSV files from the People Management page to minimize the risk of exploitation.