Executive Summary

CVE-2025-63743 is an authenticated stored Cross-Site Scripting (XSS) vulnerability in the Snipe-IT web-based asset management system versions 8.3.0 to 8.3.1. An attacker with the lowest privileges, only requiring login access, can inject arbitrary JavaScript code into the "First Name" and "Last Name" fields of their user profile if the "Display Name" field is not set. This malicious code is then stored and executed whenever any user with sufficient permissions views the "Activity Report" or the modified profile, leading to a stored XSS attack.

The root cause is that the backend API does not properly escape the "name" value before returning it, specifically in the file app/Http/Transformers/ActionlogsTransformer.php. This allows unfiltered JavaScript to be embedded in API responses, which executes in the victim's browser context.

The vulnerability was introduced in August 2025 and fixed in version 8.3.2 released in September 2025.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the CVE-2025-63743 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated attacker with minimal privileges to execute arbitrary JavaScript code in the browsers of users who view the affected profiles or activity reports. This can lead to several impacts including:

• Theft of sensitive information such as session cookies or authentication tokens.
• Performing actions on behalf of the victim user (session hijacking).
• Potential spread of malware or further exploitation within the system.
• Compromise of user accounts or escalation of privileges if combined with other vulnerabilities.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to inject JavaScript code into the "First Name" and "Last Name" fields of a user profile via an authenticated HTTP POST request to the /account/profile endpoint.

A proof of concept involves sending a POST request with payloads such as: first_name=testuser<script>alert(document.location);</script> and last_name=testuser<script>alert(document.location);</script>.

After injection, checking the API response for the activity report or viewing the "Activity Report" page or the modified user's profile will reveal if the injected JavaScript appears unsanitized in the "target" field, confirming the stored XSS vulnerability.

Example command using curl to test injection:

• curl -X POST https://your-snipeit-instance/account/profile -d "first_name=testuser<script>alert(document.location);</script>" -d "last_name=testuser<script>alert(document.location);</script>" -b cookies.txt -c cookies.txt

Then, access the Activity Report or the modified profile page in the web interface to observe if the script executes.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Snipe-IT system to version 8.3.2 or later, where this vulnerability has been fixed.

Until the upgrade is applied, restrict user permissions to prevent users from modifying their "First Name" and "Last Name" fields or ensure that the "Display Name" field is set for all profiles to avoid triggering the vulnerability.

Additionally, monitor and review activity reports and user profile changes for suspicious JavaScript code injections.

Useful 0 Not Useful 0