The Grokability Snipe-IT 8.0.4 application suffers from an Insecure Direct Object Reference (IDOR) vulnerability identified as CVE-2025-47226. This vulnerability exists in the `/locations/<id>/printassigned` endpoint, which is used to display asset assignment data for a specific location. The flaw allows an authenticated user with low privileges assigned to one location to manipulate the `location_id` parameter in the URL and access asset assignment information belonging to other locations or departments within the same organization. This occurs because the application fails to properly enforce access control checks on the `location_id` parameter, allowing unauthorized disclosure of sensitive internal data such as asset IDs, assignee details, and location metadata. The vulnerability was tested on a typical LAMP stack environment (Ubuntu 22.04 LTS, Apache2, MySQL, PHP 8.1) and affects all versions up to and including 8.0.4. The issue was addressed in Snipe-IT version 8.1.0, which includes corrected access control validation. The exploit code demonstrates how an authenticated user can simply modify the URL to retrieve data from unauthorized locations, highlighting the ease of exploitation. This vulnerability does not require elevated privileges beyond a low-privileged authenticated user, but it does require authentication and no user interaction beyond URL manipulation. The impact is primarily unauthorized disclosure of internal asset and inventory information across departments, potentially leading to lateral data exposure within an organization. No known exploits are reported in the wild yet, but the presence of public exploit code increases the risk of exploitation.

For European organizations, the impact of this vulnerability is significant in environments where Snipe-IT is used for asset management, particularly in medium to large enterprises with multiple departments or locations. Unauthorized access to asset assignment data can lead to information leakage about internal inventory, potentially exposing sensitive operational details or enabling further targeted attacks. This lateral data exposure undermines confidentiality and could facilitate social engineering or insider threats. Organizations in regulated sectors such as finance, healthcare, or government may face compliance risks due to unauthorized data disclosure. While the vulnerability does not directly impact system integrity or availability, the breach of confidentiality alone can have reputational and operational consequences. Since Snipe-IT is an open-source asset management tool widely adopted in IT asset management across Europe, organizations relying on versions <= 8.0.4 are at risk until patched. The lack of known active exploitation provides a window for mitigation, but the availability of exploit code increases urgency for remediation.

European organizations should prioritize upgrading Snipe-IT installations to version 8.1.0 or later, where the access control flaw has been fixed. Until upgrades can be performed, organizations should implement strict network segmentation and access controls to limit authenticated user access to only necessary locations. Monitoring and logging access to the `/locations/<id>/printassigned` endpoint should be enhanced to detect unusual access patterns or attempts to access unauthorized location IDs. Additionally, organizations can implement web application firewall (WAF) rules to detect and block suspicious URL parameter tampering targeting the `location_id` parameter. Conducting internal audits of user permissions and enforcing the principle of least privilege will reduce the risk of exploitation. Finally, organizations should review their asset management policies and train users to recognize and report suspicious behavior related to asset data access.