Security Vulnerability Report
中文
CVE-2025-63743 CVSS 5.4 MEDIUM

CVE-2025-63743

Published: 2026-04-13 16:16:24
Last Modified: 2026-04-27 19:18:47
Source: [email protected]

Description

Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Snipe-IT 8.3.0
Snipe-IT 8.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<script> /* * PoC for CVE-2025-63743 * Description: Stored XSS via Name/Surname fields in Snipe-IT * Prerequisite: The user's "Display Name" must be empty. */ // Malicious Payload to be injected in the "Name" or "Surname" field // This payload triggers an alert box to demonstrate execution. const payload = '<img src=x onerror=alert(\'CVE-2025-63743-XSS\')>'; /* * Reproduction Steps: * 1. Log in to Snipe-IT as a low-privilege user. * 2. Navigate to the user's profile settings (e.g., /account/profile). * 3. Ensure the "Display Name" field is cleared/empty. * 4. In the "First Name" or "Last Name" input field, paste the payload. * 5. Save the profile changes. * 6. Log in as an Administrator. * 7. Navigate to the "Activity Report" page or view the low-privilege user's profile. * 8. Observe the JavaScript alert executing. */ </script>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63743", "sourceIdentifier": "[email protected]", "published": "2026-04-13T16:16:24.487", "lastModified": "2026-04-27T19:18:46.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via \"Name\" and \"Surname\" fields. The JavaScript code is executed whenever \"Activity Report\" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's \"Display Name\" is not set. The vulnerability is fixed in v8.3.2."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "http://grokability.com", "source": "[email protected]"}, {"url": "http://snipe-it.com", "source": "[email protected]"}, {"url": "https://github.com/grokability/snipe-it/commit/b6d397bcca4e8a05176b782de769d7160058bfc4#diff-7fe056d76c09808dac923c4639161d587c3fff281a01122f3e10c4a781674a65", "source": "[email protected]"}, {"url": "https://github.com/mikust/CVEs/tree/main/CVE-2025-63743", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.