CVE-2024-48987

Published: Oct 11, 2024

Modified: Mar 25, 2025

PUBLISHED

Description

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/snipe/snipe-it/releases/tag/v7.0.10

https://www.synacktiv.com/advisories/snipe-it-unauthenticated-remote-command-execution-when-appkey-known

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-48987

Description

Affected Products

References