CVE-2025-63743
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk20th percentile - higher than 20% of all known CVEs
Summary
Cross-Site Scripting vulnerability in Snipe-IT asset management system versions 8.3.0 through 8.3.1. An authenticated attacker with minimal privileges can inject arbitrary JavaScript code via the "Name" and "Surname" fields. The code executes when the Activity Report or a modified profile is viewed by other users with sufficient permissions, provided the profile has no Display Name set.
Risk Assessment
The risk includes potential session theft, account takeover, or unauthorized actions in the victim's context, which could lead to data leakage or system integrity compromise.
Recommendation
Immediately upgrade Snipe-IT to version 8.3.2 or later, which fixes the vulnerability. Additionally, consider setting a Display Name for user profiles.
Original NVD description (English source)
Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2.

