CVE-2025-65621
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-12-01
Last updated on: 2025-12-04
Assigner: MITRE
Description
Description
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| snipeitapp | snipe-it | to 8.3.4 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Snipe-IT versions before 8.3.4 is a stored cross-site scripting (XSS) flaw. It allows a low-privileged authenticated user to inject malicious JavaScript code that will execute in the session of an administrator, potentially leading to privilege escalation.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker with low privileges to execute malicious scripts in an administrator's session. This can lead to unauthorized actions, data theft, or gaining higher privileges within the system.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70