CVE-2024-51093 is a stored Cross-Site Scripting (XSS) vulnerability identified in Snipe-IT version 7.0.13, an open-source asset management system widely used for IT inventory and asset tracking. The vulnerability arises from insufficient sanitization of XML file uploads, allowing an attacker to embed malicious JavaScript code within the XML payload. When the system processes and renders this XML content, the embedded script executes in the context of the victim’s browser session. This stored XSS can be leveraged by an attacker who already has some level of access (privileged user with upload rights) to escalate their privileges to super admin level, effectively gaining full control over the Snipe-IT instance. The CVSS 3.1 score of 8.7 reflects the high impact on confidentiality and integrity, with network attack vector, low attack complexity, and requiring some privileges and user interaction. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). No patches or exploit code are currently publicly available, but the risk is significant due to the potential for complete system compromise and administrative takeover.

The exploitation of CVE-2024-51093 can have severe consequences for organizations using Snipe-IT for asset management. An attacker who successfully exploits this vulnerability can gain super admin privileges, allowing them to manipulate asset data, exfiltrate sensitive information, create or delete user accounts, and disrupt asset tracking operations. This can lead to loss of data integrity, unauthorized disclosure of confidential information, and operational disruptions. Since Snipe-IT often contains detailed IT infrastructure data, compromise could facilitate further lateral movement within an organization’s network. The vulnerability’s network accessibility and low complexity increase the risk of exploitation, especially in environments where multiple users have upload permissions. Organizations relying on Snipe-IT for compliance and auditing may face regulatory and reputational damage if this vulnerability is exploited.

To mitigate CVE-2024-51093, organizations should immediately restrict XML file upload permissions to only the most trusted users and monitor upload activities for suspicious files. Implement strict input validation and sanitization on all uploaded XML content to prevent embedded scripts from executing. If an official patch or update from Snipe-IT is released, prioritize its deployment. In the absence of a patch, consider disabling XML file uploads or using web application firewalls (WAF) with rules to detect and block malicious script payloads in XML files. Conduct regular security audits and penetration tests focusing on file upload functionalities. Additionally, enforce the principle of least privilege for all users and enable multi-factor authentication for administrative accounts to reduce the risk of privilege escalation. Monitor logs for unusual privilege changes or access patterns indicative of exploitation attempts.