CVE-2024-48987: 
PHP vulnerability analysis and mitigation

CVE-2024-48987 affects Snipe-IT versions before 7.0.10, allowing remote code execution through cookie serialization when an attacker knows the APPKEY. The vulnerability was discovered in October 2024 and is particularly concerning because default APPKEY values were available in the product's repository .env files (NVD, Synacktiv).

The vulnerability stems from the XSRF-TOKEN cookies using serialized ciphered data, which can lead to remote code execution if an attacker obtains the APPKEY. The issue is exacerbated by the presence of default APPKEY values in several .env template files in the main repository. When both conditions are met, an unauthenticated attacker could potentially compromise the system. The vulnerability was assigned a CVSS v3.1 Base Score of 6.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD, Synacktiv).

If successfully exploited, this vulnerability allows attackers to execute remote commands on affected servers when they have access to the APPKEY. The impact is particularly severe for installations that use default APPKEY values from the example configuration files (Synacktiv).

The vulnerability was patched in Snipe-IT version 7.0.10 by removing cookie serialization. Users are strongly advised to upgrade to this version or later. Additionally, it is crucial to regenerate the APPKEY if using a default configuration. This can be done using the command 'php artisan key:generate'. The documentation emphasizes that APPKEY should never be shared with anyone and default values should never be used (GitHub Release, Synacktiv).