Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Snipe-IT is vulnerable to stored XSS via unescaped custom field values in the API asset endpoint, allowing arbitrary JavaScript execution.
Vulnerability
Snipe-IT versions prior to the fix commit 7ce5993 are vulnerable to stored cross-site scripting (XSS) due to improper neutralization of input when generating API responses for assets. The transformAsset function did not escape custom field values and component names, allowing injection of arbitrary HTML/JavaScript [1], [2].
Exploitation
An attacker with the ability to create or edit assets (e.g., authenticated user with asset write permissions) can inject malicious scripts into custom field values or component names. When the asset data is retrieved via the API and rendered in a browser without proper escaping, the script executes in the context of the victim's session [3].
Impact
Successful exploitation leads to stored XSS, enabling an attacker to execute arbitrary JavaScript in the browser of any user viewing the asset details. This can result in session theft, data exfiltration, or further actions on behalf of the victim [1], [3].
Mitigation
The vulnerability is fixed in commit 7ce5993, merged into the main branch on 2021-11-19. Users should upgrade to a version containing this fix or apply the patch manually. No workaround is available [2], [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snipe/snipe-itPackagist | < 5.3.2 | 5.3.2 |
Affected products
2- snipe/snipe/snipe-itv5Range: unspecified
Patches
17ce5993f5ae9Merge pull request #10315 from snipe/fixes/escape_custom_fields_in_api_response
1 file changed · +5 −5
app/Http/Transformers/AssetsTransformer.php+5 −5 modified@@ -93,15 +93,15 @@ public function transformAsset(Asset $asset) $value = (Gate::allows('superadmin')) ? $decrypted : strtoupper(trans('admin/custom_fields/general.encrypted')); $fields_array[$field->name] = [ - 'field' => $field->convertUnicodeDbSlug(), - 'value' => $value, + 'field' => e($field->convertUnicodeDbSlug()), + 'value' => e($value), 'field_format' => $field->format, ]; } else { $fields_array[$field->name] = [ - 'field' => $field->convertUnicodeDbSlug(), - 'value' => $asset->{$field->convertUnicodeDbSlug()}, + 'field' => e($field->convertUnicodeDbSlug()), + 'value' => e($asset->{$field->convertUnicodeDbSlug()}), 'field_format' => $field->format, ]; @@ -134,7 +134,7 @@ public function transformAsset(Asset $asset) 'id' => $component->id, 'pivot_id' => $component->pivot->id, - 'name' => $component->name, + 'name' => e($component->name), 'qty' => $component->pivot->assigned_qty, 'price_cost' => $component->purchase_cost, 'purchase_total' => $component->purchase_cost * $component->pivot->assigned_qty,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c65v-p733-9796ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3961ghsaADVISORY
- github.com/snipe/snipe-it/commit/7ce5993f5ae9d713a0955c2fd8e2dff7a7ce886eghsax_refsource_MISCWEB
- huntr.dev/bounties/5987aed5-6613-4937-8a3e-d48009b7da10ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.