CVE-2024-51094

Published Nov 12, 2024

Last updated 4 days ago

Overview

Description
An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. When an administrator later accesses the People Management page, exports the data as a CSV file, and opens it, the injected payload will be executed, allowing the attacker to exfiltrate internal system data from the CSV file to a remote server.
Source
cve@mitre.org
NVD status
Awaiting Analysis

Social media

Hype score
Not currently trending

  1. CVE-2024-51094 An issue in Snipe-IT v.7.0.13 build 15514 allows a remote attacker to escalate privileges via the file /account/profile of the component "Name" field value under "Edi… https://t.co/WB26ZyywkY

    @CVEnew

    13 Nov 2024

    637 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References