CVE-2024-48987NVD

Vulnerability Summary

Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values.

Severity Level

MEDIUM(6.6)

Published Date

Oct 11, 2024

Last Modified

May 22, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-1393: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredHigh

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://github.com/snipe/snipe-it/releases/tag/v7.0.10
https://www.synacktiv.com/advisories/snipe-it-unauthenticated-remote-command-execution-when-appkey-known

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2024-48987NVD

Vulnerability Summary

External References