Snipe-IT Stored Cross-Site Scripting Vulnerability in Locations Module

A stored cross-site scripting vulnerability has been identified in Snipe-IT versions prior to 8.3.4. This issue allows low-privileged authenticated users with location management permissions to inject malicious JavaScript into the 'Country' field of the Locations module. The injected script is executed in the session of any user, including administrators, who views or edits the affected location. This vulnerability could lead to privilege escalation or unauthorized actions performed on behalf of the victim user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users who view the affected location. This could potentially lead to privilege escalation, especially if an administrator is tricked into interacting with the compromised location.

Reproduction

To reproduce this vulnerability, log in as a user with location management permissions. Create a new location or edit an existing one, and inject a JavaScript payload into the 'Country' field. Once the changes are saved, the injected script will execute when a higher-privileged user, such as an administrator, views or edits the location.

Remediation

Users are advised to update Snipe-IT to version 8.3.4 or later. Additionally, ensure that server-side sanitization is applied to all user-controlled fields and consider implementing a Content Security Policy where applicable.