CVE-2025-65622
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
Snipe-IT before version 8.3.4 is vulnerable to stored XSS via the Locations "Country" field. A low-privileged authenticated user can inject JavaScript that executes in another user's session.
Risk Assessment
An attacker can hijack another user's session, steal data, or perform unauthorized actions in Snipe-IT, compromising the confidentiality and integrity of IT asset management.
Recommendation
Immediately upgrade Snipe-IT to version 8.3.4 or later, which includes a fix for the XSS vulnerability in the "Country" field.
Original NVD description (English source)
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.

