CVE-2024-51094 is a vulnerability identified in Snipe-IT version 7.0.13 build 15514, an open-source asset management system widely used by organizations to track IT assets. The flaw allows a low-privileged attacker to modify their own profile's "Name" field by injecting a malicious payload. This injection is possible because the application fails to properly sanitize or validate input in this field. When an administrator later accesses the People Management page and exports the user data as a CSV file, the malicious payload embedded in the "Name" field is included in the export. Upon opening this CSV file, the payload executes, which can lead to exfiltration of internal system data to an attacker-controlled remote server. This attack chain requires the attacker to have an authenticated low-privilege account and for an administrator to perform the export and open the CSV file, which involves user interaction. The vulnerability is categorized under CWE-1236, indicating improper neutralization of input during export operations. The CVSS v3.1 score of 8.0 reflects the high impact on confidentiality, integrity, and availability, combined with network attack vector, low attack complexity, and required privileges. No patches or exploits in the wild have been reported at the time of publication, but the risk remains significant due to the potential for sensitive data leakage and administrative trust exploitation.

The impact of CVE-2024-51094 is substantial for organizations using Snipe-IT for asset and personnel management. Successful exploitation can lead to unauthorized disclosure of sensitive internal data, including user information and potentially other confidential asset details embedded in the CSV export. This breach of confidentiality can facilitate further attacks such as social engineering, targeted phishing, or lateral movement within the network. The integrity of exported data is compromised, potentially misleading administrators or corrupting audit trails. Availability may also be affected if the attacker's payload disrupts normal administrative workflows or causes application instability. Since the attack requires administrator interaction, it leverages trust relationships and operational procedures, increasing the risk of unnoticed data exfiltration. Organizations with strict compliance requirements or handling sensitive data face regulatory and reputational risks. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread exploitation occurs.

To mitigate CVE-2024-51094, organizations should first verify if they are running Snipe-IT version 7.0.13 build 15514 or similar vulnerable versions and prioritize upgrading to a patched version once available. In the absence of an official patch, implement strict input validation and sanitization on the "Name" field to prevent injection of malicious payloads. Restrict the ability of low-privileged users to modify profile fields that are included in administrative exports. Educate administrators to be cautious when exporting and opening CSV files, especially those containing user-generated content, and consider opening such files in sandboxed or isolated environments to prevent payload execution. Employ network monitoring to detect unusual outbound connections that may indicate data exfiltration attempts. Review and tighten role-based access controls to minimize unnecessary privileges. Additionally, consider disabling or restricting CSV export functionality temporarily if feasible until a fix is applied. Regularly audit logs and user activities for signs of exploitation attempts. Finally, maintain an incident response plan tailored to data exfiltration scenarios involving administrative tools.