Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Description
Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Snipe-IT before v6.0.11 allows attackers to inject arbitrary JavaScript via unsanitized user input.
Root
Cause The vulnerability resides in the Parsedown-based rendering of user-supplied text. The application used $Parsedown->text(e($str)) without enabling setSafeMode(true). Because e() escapes HTML entities only, it does not prevent Parsedown from generating raw HTML when safe mode is off. An attacker could input malicious markdown or HTML that, when parsed, outputs executable scripts [1].
Exploitation
An attacker who can supply text—such as EULA text, asset notes, or other fields—can inject arbitrary JavaScript. The malicious input is stored in the database and executed in the browsers of any user who views the affected asset or category. No special privileges are required beyond the ability to create or edit such text (typically admin or asset manager roles) [3][4].
Impact
Successful exploitation leads to stored cross-site scripting (XSS). The attacker can perform actions on behalf of the victim, including stealing session cookies, redirecting to malicious sites, or modifying page content. This compromises the integrity and confidentiality of the Snipe-IT instance [3].
Mitigation
The issue is fixed in Snipe-IT version 6.0.11, released 2022-08-29. The fix adds setSafeMode(true) to the Parsedown instance and uses a helper function to properly handle markdown parsing [1]. Users should upgrade immediately; no official workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
snipe/snipe-itPackagist | < 6.0.11 | 6.0.11 |
Affected products
2- snipe/snipe/snipe-itv5Range: unspecified
Patches
19cf5f30c77dfSet safeMode to true and use helper for all parsedown
11 files changed · +29 −31
app/Helpers/Helper.php+3 −2 modified@@ -22,12 +22,13 @@ class Helper * @since [v2.0] * @return string */ - public static function parseEscapedMarkedown($str) + public static function parseEscapedMarkedown($str = null) { $Parsedown = new \Parsedown(); + $Parsedown->setSafeMode(true); if ($str) { - return $Parsedown->text(e($str)); + return $Parsedown->text($str); } }
app/Models/Accessory.php+4 −4 modified@@ -2,6 +2,7 @@ namespace App\Models; +use App\Helpers\Helper; use App\Models\Traits\Acceptable; use App\Models\Traits\Searchable; use App\Presenters\Presentable; @@ -299,15 +300,14 @@ public function requireAcceptance() */ public function getEula() { - $Parsedown = new \Parsedown(); if ($this->category->eula_text) { - return $Parsedown->text(e($this->category->eula_text)); + return Helper::parseEscapedMarkedown($this->category->eula_text); } elseif ((Setting::getSettings()->default_eula_text) && ($this->category->use_default_eula == '1')) { - return $Parsedown->text(e(Setting::getSettings()->default_eula_text)); + return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text); } - return null; + return null; } /**
app/Models/Asset.php+4 −4 modified@@ -5,6 +5,7 @@ use App\Events\AssetCheckedOut; use App\Events\CheckoutableCheckedOut; use App\Exceptions\CheckoutNotAllowed; +use App\Helpers\Helper; use App\Http\Traits\UniqueSerialTrait; use App\Http\Traits\UniqueUndeletedTrait; use App\Models\Traits\Acceptable; @@ -875,13 +876,12 @@ public function requireAcceptance() */ public function getEula() { - $Parsedown = new \Parsedown(); - + if (($this->model) && ($this->model->category)) { if ($this->model->category->eula_text) { - return $Parsedown->text(e($this->model->category->eula_text)); + return Helper::parseEscapedMarkedown($this->model->category->eula_text); } elseif ($this->model->category->use_default_eula == '1') { - return $Parsedown->text(e(Setting::getSettings()->default_eula_text)); + return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text); } else { return false; }
app/Models/Category.php+3 −3 modified@@ -9,6 +9,7 @@ use Illuminate\Database\Eloquent\SoftDeletes; use Illuminate\Support\Facades\Gate; use Watson\Validating\ValidatingTrait; +use App\Helpers\Helper; /** * Model for Categories. Categories are a higher-level group @@ -207,12 +208,11 @@ public function models() */ public function getEula() { - $Parsedown = new \Parsedown(); if ($this->eula_text) { - return $Parsedown->text(e($this->eula_text)); + return Helper::parseEscapedMarkedown($this->eula_text); } elseif ((Setting::getSettings()->default_eula_text) && ($this->use_default_eula == '1')) { - return $Parsedown->text(e(Setting::getSettings()->default_eula_text)); + return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text); } else { return null; }
app/Models/Consumable.php+3 −4 modified@@ -2,6 +2,7 @@ namespace App\Models; +use App\Helpers\Helper; use App\Models\Traits\Acceptable; use App\Models\Traits\Searchable; use App\Presenters\Presentable; @@ -265,12 +266,10 @@ public function requireAcceptance() */ public function getEula() { - $Parsedown = new \Parsedown(); - if ($this->category->eula_text) { - return $Parsedown->text(e($this->category->eula_text)); + return Helper::parseEscapedMarkedown($this->category->eula_text); } elseif ((Setting::getSettings()->default_eula_text) && ($this->category->use_default_eula == '1')) { - return $Parsedown->text(e(Setting::getSettings()->default_eula_text)); + return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text); } else { return null; }
app/Models/License.php+3 −3 modified@@ -2,6 +2,7 @@ namespace App\Models; +use App\Helpers\Helper; use App\Models\Traits\Searchable; use App\Presenters\Presentable; use Carbon\Carbon; @@ -337,12 +338,11 @@ public function requireAcceptance() */ public function getEula() { - $Parsedown = new \Parsedown(); if ($this->category->eula_text) { - return $Parsedown->text(e($this->category->eula_text)); + return Helper::parseEscapedMarkedown($this->category->eula_text); } elseif ($this->category->use_default_eula == '1') { - return $Parsedown->text(e(Setting::getSettings()->default_eula_text)); + return Helper::parseEscapedMarkedown(Setting::getSettings()->default_eula_text); } else { return false; }
app/Models/Setting.php+3 −5 modified@@ -8,9 +8,10 @@ use Illuminate\Support\Collection; use Illuminate\Support\Facades\App; use Illuminate\Support\Facades\Cache; -use Parsedown; +use App\Helpers\Helper; use Watson\Validating\ValidatingTrait; + /** * Settings model. */ @@ -135,7 +136,6 @@ public static function setupCompleted(): bool public function lar_ver(): string { $app = App::getFacadeApplication(); - return $app::VERSION; } @@ -147,9 +147,7 @@ public function lar_ver(): string public static function getDefaultEula(): ?string { if (self::getSettings()->default_eula_text) { - $parsedown = new Parsedown(); - - return $parsedown->text(e(self::getSettings()->default_eula_text)); + return Helper::parseEscapedMarkedown(self::getSettings()->default_eula_text); } return null;
app/Presenters/AssetModelPresenter.php+3 −3 modified@@ -2,6 +2,8 @@ namespace App\Presenters; +use App\Helpers\Helper; + /** * Class AssetModelPresenter */ @@ -159,10 +161,8 @@ public static function dataTableLayout() */ public function note() { - $Parsedown = new \Parsedown(); - if ($this->model->note) { - return $Parsedown->text($this->model->note); + return Helper::parseEscapedMarkedown($this->model->note); } }
resources/views/auth/login.blade.php+1 −1 modified@@ -28,7 +28,7 @@ @if ($snipeSettings->login_note) <div class="col-md-12"> <div class="alert alert-info"> - {!! Parsedown::instance()->text(e($snipeSettings->login_note)) !!} + {!! Helper::parseEscapedMarkedown($snipeSettings->login_note) !!} </div> </div> @endif
resources/views/dashboard.blade.php+1 −1 modified@@ -17,7 +17,7 @@ <div class="box-body"> <div class="row"> <div class="col-md-12"> - {!! Parsedown::instance()->text(e($snipeSettings->dashboard_message)) !!} + {!! Helper::parseEscapedMarkedown($snipeSettings->dashboard_message) !!} </div> </div> </div>
resources/views/layouts/default.blade.php+1 −1 modified@@ -827,7 +827,7 @@ </div> @if ($snipeSettings->footer_text!='') <div class="pull-right"> - {!! Parsedown::instance()->text(e($snipeSettings->footer_text)) !!} + {!! Helper::parseEscapedMarkedown($snipeSettings->footer_text) !!} </div> @endif
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-rff2-vqm3-jpv5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3035ghsaADVISORY
- github.com/snipe/snipe-it/commit/9cf5f30c77df6ab60baab1c0e6bb0b4e773f0eaeghsax_refsource_MISCWEB
- huntr.dev/bounties/0bbb1046-ea9e-4cb9-bc91-b294a72d1902ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.