snipe/snipe-it is vulnerable to cross-site scripting (XSS). User input are not escaped before being displayed on a user’s browser, allowing remote attackers to inject arbitrary Javascript into a victim’s browser via log_meta
values and user’s last name in the API.
CPE | Name | Operator | Version |
---|---|---|---|
snipe/snipe-it | le | 4.6.13 |