php · snipe/snipe-itHeads-up
Snipe-IT Missing Authorization Check in /api/v1/{object}/selectlist Exposes User Data
The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check, allowing any authenticated user to retrieve a paginated list of all user acc
What changed
The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check, allowing any authenticated user to retrieve a paginated list of all user accounts.
Who it affects
All Snipe-IT instances where any user can log in; affects all active accounts by exposing usernames, display names, employee numbers, and user IDs.
What to do today
Apply the patch from commit 4f943d4a7ab8e53f3d9e32770602d1118bab005f to add authorization checks to the endpoint.
The trail
Collected→
Audited→
Written→
Published