Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Snipe-IT 8.3.4 Cross Site Scripting

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 46
Snipe-IT version 8.3.4 was vulnerable to a Cross-Site Scripting (XSS) Snipe-IT version 8.3.4 was vulnerable to a Cross-Site Scripting (XSS) flaw. This was a stored XSS, meaning an attacker could inject malicious scripts into user-controlled input fields, such as asset names, serial numbers, or custom fields.

When another user, particularly an administrator, viewed the affected page, the injected script would execute in their browser. The impact could range from session hijacking, data theft, defacement of the application, to redirecting users to malicious sites. This allowed attackers to perform actions on behalf of the victim or steal sensitive information.

To mitigate this, users were advised to upgrade to a patched version of Snipe-IT, which properly sanitizes and encodes user input before display.

## **Product Info**

Snipe-IT is a free and open-source IT asset management system (FOSS) built on **Laravel**. It provides hardware asset tracking, software license management, accessories, and consumables inventory features for IT operations teams. It is actively maintained and updated frequently.

### **Summary**

A reflected cross-site scripting (XSS) vulnerability exists in **Snipe-IT v8.3.4 (build 202118)** within the CSV import workflow. When an invalid CSV file is uploaded, the application returns a **progress_message** value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the **POST `/livewire/update`** request and inject arbitrary JavaScript into the **progress_message** parameter.

Because the server does not sanitize or validate this field before reflecting it back to the client, the injected payload executes in the browser of any authenticated admin viewing the Import page, leading to arbitrary JavaScript execution in a privileged context.

## **Affected Product**

- **Product:** snipe-it - v8.3.4
- **Vendor:** Grokability
- **Repository:** [https://github.com/grokability/snipe-it](https://github.com/grokability/snipe-it)

## **Affected Component**

- CSV Import UI (`/import`)
- Livewire frontend component
- POST `/livewire/update` request payload
- `progress_message` variable

## **CVSS v3.1 Base Score**

AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
<img width="966" height="216" alt="Pasted image 20251117030626" src="https://github.com/user-attachments/assets/02613a61-8927-48d2-8d69-7b7c6ccd116b" />




## **Attack Vector**

An attacker must cause the admin to upload an invalid CSV file (or simulate the workflow). During the process, the client sends a Livewire update containing the `progress_message` field. By intercepting this request via a proxy (Burp Suite, MitM, etc.), the attacker can modify the request body and inject JavaScript into the `progress_message`.

The server accepts the modified input **without sanitization** and reflects the tainted value directly back into rendered HTML. When the admin loads or refreshes the import status screen, the injected payload executes.


```json
<iframe src=\"javascript:alert('XsS By CyberCrew')\>
```
## **Impact**

* Execution of arbitrary JS with admin privileges
* Installation of malicious browser-based payloads
* Alteration of Snipe-IT assets, users, or settings


## **Steps to Reproduce (PoC)**

1. Log into Snipe-IT as an admin.
2. Navigate to **Admin ? Import**.
3. Upload an intentionally invalid CSV file.

<img width="1118" height="600" alt="Pasted image 20251117024547" src="https://github.com/user-attachments/assets/2f28af9c-d669-4d77-ab31-ed79b7b39c66" />


4. Intercept the **POST** request to:

```bash
/livewire/update
```

<img width="1113" height="607" alt="Pasted image 20251117024846" src="https://github.com/user-attachments/assets/7aa1a0b0-0e82-4a9f-8e4a-1870ffe46e79" />


5. Modify the `progress_message` value:
```json
{"progress_message":"<iframe src=\"javascript:alert('XsS By CyberCrew')\>"}
```

6. Allow the request to proceed.
7. When the admin returns to the import status view, the JavaScript executes.
<img width="1108" height="496" alt="Pasted image 20251117025423" src="https://github.com/user-attachments/assets/8e8e26f4-a02a-4618-875a-70bc97f4f085" />
<img width="1116" height="599" alt="Pasted image 20251117025459" src="https://github.com/user-attachments/assets/39764fb3-5680-4fcf-b63b-f22fd427ca13" />





## **References**

[https://nvd.nist.gov/vuln/detail/CVE-2025-24576](https://nvd.nist.gov/vuln/detail/CVE-2025-24576)

## **Discoverer**

????CyberCrew / ??????

?? ???????
?????????????????????????????

? ????CyberCrew
G1@4x
? Tel? 03-6853-5823
? Mail?This email address is being protected from spambots. You need JavaScript enabled to view it.

? ????
?? ??
??? ????CyberCrew
??? ??????????1-18-13 ???????6?
? ??????
?? ??????????????
????????????????????????????

? ???????????
??????????LLM????? ?????

? ????????????
?????????????????????

? RED???????????????????
???????????????????????

? ???????????????????
????????????????????????????

? ??????https://www.cybercrew.co.jp
? CyberCrew ? Your Trusted Security Partner.

Social Media Share