Cross-site Scripting (XSS) - Generic in snipe/snipe-it
Description
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Snipe-IT before commit 9ed1442 has a stored/reflected XSS via the asset_tag parameter in the audit endpoint, allowing arbitrary JavaScript execution.
Vulnerability
Snipe-IT, a free and open-source IT asset/license management system built on Laravel, contains a cross-site scripting (XSS) vulnerability in the audit functionality. The bug is located in the audit() method of the application where user-supplied asset_tag input is directly reflected into a JSON error response without proper sanitization. Versions prior to commit 9ed1442 are affected [2]. The vulnerable code path is reachable when an audit request is made with a non-existent asset tag, triggering an error message that includes the attacker-controlled value.
Exploitation
An attacker does not require authentication to exploit this vulnerability, as the audit endpoint is accessible without logging in. The attacker crafts a malicious asset_tag parameter containing JavaScript code (e.g., `) and sends it to the audit endpoint. When the server processes the request and cannot find an asset with that tag, it returns a JSON error response that includes the unescaped asset_tag` in the error message. If a victim views this response in a browser (e.g., via a crafted link or embedded resource), the injected script executes in the context of the Snipe-IT application, leading to XSS.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who accesses the maliciously crafted audit endpoint response. This can lead to theft of session cookies, user impersonation, defacement, or other client-side attacks. The vulnerability is classified as Improper Neutralization of Input During Web Page Generation (CWE-79) with a CVSS score of 6.1 (Medium) [2]. No server-side compromise is achieved; the impact is limited to the victim's browser session.
Mitigation
The vulnerability was fixed in commit 9ed1442 by wrapping the asset_tag value with Laravel's e() helper function, which HTML-encodes the output [3]. The fix was merged on an unknown date before the CVE publication on 2021-11-13. Users should upgrade to a version that includes this commit (or later). There is no evidence of exploitation in the wild (not listed in CISA KEV). If upgrading is not immediately possible, administrators can restrict network access to the audit endpoint or apply a web application firewall rule to block malicious asset_tag parameters.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snipe/snipe-itPackagist | < 5.4.0 | 5.4.0 |
Affected products
2- snipe/snipe/snipe-itv5Range: unspecified
Patches
19ed1442bd124Merge pull request #10286 from uberbrady/fix_bulk_audit_xss
1 file changed · +1 −1
app/Http/Controllers/Api/AssetsController.php+1 −1 modified@@ -910,7 +910,7 @@ public function audit(Request $request) { } } - return response()->json(Helper::formatStandardApiResponse('error', ['asset_tag'=> e($request->input('asset_tag'))], 'Asset with tag '.$request->input('asset_tag').' not found')); + return response()->json(Helper::formatStandardApiResponse('error', ['asset_tag'=> e($request->input('asset_tag'))], 'Asset with tag '.e($request->input('asset_tag')).' not found'));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-2cqg-q7jm-j35cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3938ghsaADVISORY
- github.com/snipe/snipe-it/commit/9ed1442bd124710f4178992cc4eca5236c7396b9ghsax_refsource_MISCWEB
- huntr.dev/bounties/198a0d67-9189-4170-809b-0f8aea43b063ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.