CVE-2025-65621
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk4th percentile - higher than 4% of all known CVEs
Summary
A stored XSS vulnerability in Snipe-IT before version 8.3.4 allows a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.
Risk Assessment
An attacker can hijack an administrator session, gaining full control over the IT asset management system, leading to data leakage and configuration integrity compromise.
Recommendation
Immediately upgrade Snipe-IT to version 8.3.4 or later, which includes a fix for the stored XSS vulnerability.
Original NVD description (English source)
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation.

