CVE-2025-64027
BaseFortify
Publication date: 2025-11-20
Last updated on: 2025-11-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| snipeitapp | snipe-it | 8.3.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript in the browser of authenticated admin users. This could lead to unauthorized actions performed with admin privileges, theft of sensitive information such as session tokens, or further compromise of the system through malicious scripts.
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) issue in Snipe-IT v8.3.4's CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST request to inject arbitrary HTML or JavaScript into this progress_message. Because the server does not sanitize this input and reflects it back, the injected JavaScript executes in the browser of any authenticated admin who views the import page.