Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)

Author: Sn1p3r-H4ck3r
type: webapps
platform: php
port: 
date_added: 2025-05-06  
date_updated: 2025-05-06  
verified: 0  
codes: CVE-2025-47226  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 52282.txt  
# Exploit Title: Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)
# Google Dork: N/A
# Date: 2025-05-02
# Exploit Author: Sn1p3r-H4ck3r (Siripong Jintung)
# Vendor Homepage: https://snipeitapp.com
# Software Link: https://github.com/grokability/snipe-it
# Version: <= 8.0.4
# Tested on: Ubuntu 22.04 LTS, Apache2 + MySQL + PHP 8.1
# CVE: CVE-2025-47226

# Vulnerability Description:
Snipe-IT <= 8.0.4 contains an Insecure Direct Object Reference (IDOR) vulnerability in the
`/locations/<id>/printassigned` endpoint. This flaw allows an authenticated user from one
department to gain access to asset assignment data belonging to other departments by modifying
the `location_id` in the URL.

# Steps to Reproduce:
1. Authenticate with a low-privileged account assigned to `location_id = 2`.
2. Access the print preview page:
   https://<target>/locations/2/printassigned
3. Modify the URL to:
   https://<target>/locations/1/printassigned
4. The application will disclose inventory/assignment information for location ID 1,
   even if the user should not have access.

# Impact:
- Unauthorized access to internal asset and inventory information.
- Potential for lateral data exposure between departments in the same organization.
- Disclosure of asset IDs, assignees, and location metadata.

# Mitigation:
Update to **Snipe-IT v8.1.0** or higher where access control validation has been corrected.

# References:
- Patch PR: https://github.com/grokability/snipe-it/pull/16672
- CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47226
- Release Notes: https://github.com/grokability/snipe-it/releases/tag/v8.1.0