CVE-2023-5511 - Understanding the CSRF Vulnerability in Snipe-IT < v6.2.3

In October 2023, a Cross-Site Request Forgery (CSRF) vulnerability was disclosed in the popular asset management system, Snipe-IT. Identified as CVE-2023-5511, this vulnerability affected versions prior to 6.2.3, exposing organizations to the risk of unauthorized actions being performed on their behalf. In this article, we’ll explain what it means, walk through how it works, show some minimal code, provide exploit details, and link to essential resources.

What is CVE-2023-5511?

CVE-2023-5511 is a vulnerability in the snipe/snipe-it GitHub project, a popular open-source asset management platform written in PHP. Before version 6.2.3, certain endpoints in Snipe-IT failed to properly implement CSRF protections.

If an attacker could trick a logged-in admin/user into clicking a malicious link or visiting a compromised site, they could potentially:

CSRF in Snipe-IT: How Does It Work?

CSRF vulnerabilities exist when a web app doesn’t properly verify if requests are intentionally sent by the user. Normally, web forms or requests include a CSRF token, making it harder for outside sites to submit data as if it's from a valid session. If this isn’t enforced, an attacker can *forge* requests.

Alice is an admin on a company’s Snipe-IT instance. She’s logged in.

2. Eve, an attacker, crafts a malicious site with HTML that submits a form to the Snipe-IT endpoint (e.g. to create or delete an asset).
3. Alice, while logged in to Snipe-IT, visits Eve’s site and triggers the form submission *unknowingly*.

Step 1: The Malicious HTML

Suppose the vulnerable Snipe-IT instance lives at https://assets.company.com, and Eve wants to assign an asset to a different user.

Eve's site would have

<form action="https://assets.company.com/hardware/123/checkout" method="POST">
  <input type="hidden" name="assigned_to" value="5">          <!-- Assign to user id 5 -->
  <input type="hidden" name="checkout_to_type" value="user">
  <input type="hidden" name="expected_checkin" value="2024-07-01">
  <input style="display:none" type="submit">
</form>

<script>
  document.forms[].submit();
</script>

What happens?

- If Snipe-IT doesn’t check for a valid CSRF token, and the endpoint is exposed, Alice’s browser submits the request with Alice’s session cookies—making it seem as if she authorized it.

Fix & Mitigation

The Snipe-IT team patched this issue in release 6.2.3.

Key Resources

- GitHub Security Advisory for CVE-2023-5511
- Official Snipe-IT 6.2.3 Release Notes
- CVE Record at NVD

Conclusion

CSRF vulnerabilities are simple but can have a huge impact, especially in admin-facing applications. Snipe-IT’s CVE-2023-5511 shows why enforcing CSRF tokens is mandatory for all sensitive operations. If you run Snipe-IT, make sure you’re patched beyond 6.2.3 to keep company assets safe.

Want to know more? Check out the official GitHub links and their latest updates to keep your instance safe. If you’re a developer, always use the Laravel CSRF middleware; it’s simple, but it can save your company!

Timeline

Published on: 10/11/2023 01:15:00 UTC
Last modified on: 10/12/2023 18:02:00 UTC