CVE-2025-63743

Vulnerability

Overview

CVE-2025-63743 is a stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT, an open-source asset management system, affecting versions 8.3.0 through 8.3.1. The issue arises from insufficient escaping of user-supplied data in the 'Name' and 'Surname' fields when the optional 'Display Name' is not set. The backend API returns an unescaped value that includes user-controlled JavaScript, allowing an attacker to inject arbitrary scripts [1][4]. The root cause is traced to a commit that introduced the bug on August 25, 2025, and was fixed in commit 2bee87298 on September 8, 2025 [4].

Exploitation

Path

An authenticated attacker with the lowest privilege (only login access) can exploit this by editing their profile and injecting JavaScript payloads into the 'First Name' or 'Last Name' fields, provided the 'Display Name' field remains empty. When any user with sufficient permissions views the 'Activity Report' (via Reports > Activity Report) or accesses the modified profile directly (through the People tab or History tab), the injected script executes in the context of the viewer's browser [4]. The vulnerability does not require any special role beyond being able to log in [1][4].

Impact

Successful exploitation leads to stored XSS, enabling an attacker to perform actions on behalf of the victim, steal session tokens, or deface pages within the Snipe-IT application. Since the script runs in the context of any user viewing the affected report or profile, the potential impact includes data theft and privilege escalation depending on the viewer's permissions [4].

Mitigation

The issue is fixed in Snipe-IT version 8.3.2, released shortly after the bug was introduced [4]. The fix sanitizes the output by using display_name instead of fullName() and properly escaping the value [1]. Users should update to the latest version immediately. No workaround is provided other than setting the 'Display Name' for all profiles, which prevents the vulnerable code path from being triggered.