CVE-2025-65622
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Snipe-IT allows authenticated users with low privileges to inject malicious JavaScript into the Locations 'Country' field. When other users view this field, the script executes in their browser sessions, potentially compromising their accounts or stealing sensitive data. All Snipe-IT instances running versions before 8.3.4 are affected.
💻 Affected Systems
- Snipe-IT
📦 What is this software?
Snipe It by Snipeitapp
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, gain full administrative access, exfiltrate all asset management data, or deploy ransomware across the organization's IT infrastructure.
Likely Case
Attackers steal user session tokens to impersonate legitimate users, access sensitive asset information, modify asset records, or redirect users to phishing sites.
If Mitigated
With proper input validation and output encoding, the malicious script would be rendered harmless as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The GitHub repository contains proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.3.4
Vendor Advisory: http://snipeitapp.com
Restart Required: No
Instructions:
1. Backup your Snipe-IT database and files. 2. Update to Snipe-IT version 8.3.4 or later via git pull or package manager. 3. Run database migrations if required. 4. Clear application cache.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the Country field before storage
Modify Snipe-IT source code to add HTML entity encoding for the Locations controller Country field
Content Security Policy
allImplement strict Content Security Policy headers to prevent script execution
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Restrict user permissions to prevent low-privilege users from accessing or modifying Locations data
- Implement web application firewall (WAF) rules to block XSS payloads in the Country field
🔍 How to Verify
Check if Vulnerable:
Check Snipe-IT version in admin panel or via command: php artisan --versionCheck Version:
php artisan --versionVerify Fix Applied:
After updating, attempt to inject <script>alert('XSS')</script> into Country field - it should display as plain text, not execute📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Location records
- Multiple failed login attempts followed by Location updates
- Country field entries containing script tags or JavaScript code
Network Indicators:
- Outbound connections to suspicious domains following Location page views
- Unexpected data exfiltration patterns
SIEM Query:
source="snipe-it-logs" AND (message="*Location*updated*" OR message="*Country*modified*") AND (message="*<script>*" OR message="*javascript:*")