snipe/snipe-it is vulnerable to cross-site scripting. The vulnerability exists in transformAssets
function in DepreciationReportTransformer
because the checked_out_to
parameter is not properly escaped which allows an attacker to send and execute arbitrary javascript.
CPE | Name | Operator | Version |
---|---|---|---|
snipe/snipe-it | le | v5.4.3 | |
snipe/snipe-it | le | v5.4.3 |