CVE Catalog

CVE-2025-65622

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile - higher than 6% of all known CVEs

Summary

Snipe-IT before version 8.3.4 is vulnerable to stored XSS via the Locations "Country" field. A low-privileged authenticated user can inject JavaScript that executes in another user's session.

Risk Assessment

An attacker can hijack another user's session, steal data, or perform unauthorized actions in Snipe-IT, compromising the confidentiality and integrity of IT asset management.

Recommendation

Immediately upgrade Snipe-IT to version 8.3.4 or later, which includes a fix for the XSS vulnerability in the "Country" field.

Original NVD description (English source)

Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS