Miggo Logo

CVE-2021-3938: snipe-it is vulnerable to Cross-site Scripting

3.9

CVSS Score
3.0

Basic Information

EPSS Score
0.38376%
Published
11/15/2021
Updated
9/15/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
snipe/snipe-itcomposer<= 5.3.15.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch shows the vulnerability was fixed by adding e() HTML entity escaping to $request->input('asset_tag') in the error message construction. The original unpatched line (return response()->json(... $request->input('asset_tag') ...)) directly embeds user-controlled input into a response without escaping, making it susceptible to XSS. The audit method in AssetsController.php is the only function modified in the security patch, confirming this as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

snip*-it is vuln*r**l* to Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion ('*ross-sit* S*riptin*').

Reasoning

T** *it*u* p*t** s*ows t** vuln*r**ility w*s *ix** *y ***in* *() *TML *ntity *s**pin* to $r*qu*st->input('*ss*t_t**') in t** *rror m*ss*** *onstru*tion. T** ori*in*l unp*t**** lin* (r*turn r*spons*()->json(... $r*qu*st->input('*ss*t_t**') ...)) *ir**