[CVE-2022–32061] Snipe-IT Version v6.0.2 — Malicious File Upload

Description

# An Issue is discoverd in Snipe-IT Version v6.0.2.

# This exploit allow you to upload malicious files on server.

# We found malicious file upload when we upload file at the People menu.

Payload Attack

Proof of Concept

First, we login to the target application with admin privileges.

Then select People Menu and select User.

after that click Upload.

select malicious files to upload.

then select File Uploads Tab it will show malicious files

if someone try to download and open it the payload will be excuted.

We found the XSS!

Author

Grim The Ripper Team by SOSECURE Thailand

--

--

You get the best out of others when you give the best of yourself

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

You get the best out of others when you give the best of yourself