CVE-2022-44380

CVE-2022-44380 is a stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT versions prior to 6.0.14. The flaw exists in the "Account" drop-down menu, specifically when a user selects the "View Assigned Assets" option. The view renders assets, licenses, accessories, and consumables from the database without proper sanitization, allowing malicious JavaScript to be stored and later executed in a victim's browser [1].

To exploit this vulnerability, an attacker must be able to inject malicious script into the database fields that are displayed in the View Assigned Assets page. This could be achieved by a user with permissions to create or edit assets, licenses, accessories, or consumables. The injected script is then executed when any user (including administrators) accesses the View Assigned Assets page, as the script is rendered in the context of the victim's session [1].

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft, defacement, or further attacks within the Snipe-IT application. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) [1][3].

The vulnerability was discovered by Charalampos Maraziaris of CENSUS and is fixed in Snipe-IT version 6.0.14. Users are strongly advised to upgrade to this version or later to mitigate the risk. No workarounds have been publicly documented [1][3].