Description

An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the injected payload will be executed, allowing the attacker to exfiltrate internal system data from the CSV file to a remote server.

INFO

Published Date :

2024-11-12T00:00:00.000Z

Last Modified :

2024-11-19T16:48:56.392Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2024-51094 vulnerability.

Vendors Products
Snipeitapp
  • Snipe-it
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-51094.

URL Resource
https://gist.githubusercontent.com/Tommywarren/b3a6c6ae5a93dd67c863313f71f53a76/raw/ddff8cbbab5179f680ba3f5e94fc080575ad8913/CVE-2024-51094 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact