PT-2022-13895 · Snipe-It · Snipe-It

Published

2022-04-24

Updated

2022-05-03

CVE-2022-1445

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions snipe-it versions prior to 5.4.3

Description The issue is related to a Stored Cross Site Scripting vulnerability in the checked out to parameter. This vulnerability can lead to the theft of a user's cookie. The input to the checked out to parameter is not properly escaped, allowing for the execution of malicious scripts.

Recommendations For versions prior to 5.4.3, update to version 5.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the checked out to parameter to minimize the risk of exploitation. Avoid using the checked out to parameter in sensitive operations until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-1445

GHSA-HPX4-XJP7-M4VR

Affected Products

Snipe-It

PT-2022-13895 · Snipe-It · Snipe-It

CVE-2022-1445

Weakness Enumeration

Related Identifiers

Affected Products

References · 8