CVE-2022-1445

MEDIUM5.4EPSS 0.33%

Stored cross-site scripting in Snipe-IT

Published: 4/25/2022Modified: 11/8/2023

Description

Snipe-IT prior to version 5.4.3 is vulnerable to stored cross-site scripting because the input to the `checked_out_to` parameter is not escaped. The vulnerability is capable of stealing a user's cookie.

Affected packages (1)

Packagist/snipe/snipe-itfrom 0, < 5.4.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-1445
PATCHhttps://github.com/snipe/snipe-it
WEBhttps://github.com/snipe/snipe-it/commit/f623d05d0c3487ae24c4f13907e4709484e5bf41
WEBhttps://huntr.dev/bounties/f4420149-5236-4051-a458-5d4f1d5b7abd