[CVE-2022–32061] Snipe-IT Version v6.0.2 — Malicious File Upload

Description

# An Issue is discoverd in Snipe-IT Version v6.0.2.

# This exploit allow you to upload malicious files on server.

# We found malicious file upload when we upload file at the People menu.

Payload Attack

Proof of Concept

First, we login to the target application with admin privileges.

Then select People Menu and select User.

after that click Upload.

select malicious files to upload.

then select File Uploads Tab it will show malicious files

if someone try to download and open it the payload will be excuted.

We found the XSS!

Author

Grim The Ripper Team by SOSECURE Thailand