{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-63743", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T14:41:41.195Z", "dateReserved": "2025-10-27T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T15:33:29.031Z"}, "descriptions": [{"lang": "en", "value": "Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via \"Name\" and \"Surname\" fields. The JavaScript code is executed whenever \"Activity Report\" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's \"Display Name\" is not set. The vulnerability is fixed in v8.3.2."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://grokability.com"}, {"url": "http://snipe-it.com"}, {"url": "https://github.com/grokability/snipe-it/commit/b6d397bcca4e8a05176b782de769d7160058bfc4#diff-7fe056d76c09808dac923c4639161d587c3fff281a01122f3e10c4a781674a65"}, {"url": "https://github.com/mikust/CVEs/tree/main/CVE-2025-63743"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:41:20.227228Z", "id": "CVE-2025-63743", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:41:41.195Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-63743", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:41:20.227228Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:41:37.697Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://grokability.com"}, {"url": "http://snipe-it.com"}, {"url": "https://github.com/grokability/snipe-it/commit/b6d397bcca4e8a05176b782de769d7160058bfc4#diff-7fe056d76c09808dac923c4639161d587c3fff281a01122f3e10c4a781674a65"}, {"url": "https://github.com/mikust/CVEs/tree/main/CVE-2025-63743"}], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via \"Name\" and \"Surname\" fields. The JavaScript code is executed whenever \"Activity Report\" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's \"Display Name\" is not set. The vulnerability is fixed in v8.3.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T15:33:29.031Z"}}}, "cveMetadata": {"cveId": "CVE-2025-63743", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:41:41.195Z", "dateReserved": "2025-10-27T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via \"Name\" and \"Surname\" fields. The JavaScript code is executed whenever \"Activity Report\" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's \"Display Name\" is not set. The vulnerability is fixed in v8.3.2."}], "id": "CVE-2025-63743", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T16:16:24.487", "references": [{"source": "cve@mitre.org", "url": "http://grokability.com"}, {"source": "cve@mitre.org", "url": "http://snipe-it.com"}, {"source": "cve@mitre.org", "url": "https://github.com/grokability/snipe-it/commit/b6d397bcca4e8a05176b782de769d7160058bfc4#diff-7fe056d76c09808dac923c4639161d587c3fff281a01122f3e10c4a781674a65"}, {"source": "cve@mitre.org", "url": "https://github.com/mikust/CVEs/tree/main/CVE-2025-63743"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.3.0,8.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "snipe-it", "vendor": "grokability"}], "analysis": {"en": {"generated_at": "2026-04-14T17:05:26.685743+00:00", "value": {"mitigation_remediation": ["Upgrade Snipe\u2011IT to version 8.3.2 or later to resolve the XSS vulnerability.", "If an upgrade cannot be performed immediately, set a non\u2011empty Display Name for all user profiles to prevent the script from executing.", "Limit the ability of low\u2011privilege users to view the Activity Report or modify profiles until the patch is applied.", "Monitor web server logs for attempts to inject JavaScript into the Name and Surname fields."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected software is the Snipe\u2011IT web\u2011based asset\u2011management system, version 8.3.0 through 8.3.1 inclusive. The fix is available in version 8.3.2 and later. No other vendors or product variants are listed in the CNA data.", "description_and_impact": "Authenticated users with the lowest privilege level can insert arbitrary JavaScript into the Name and Surname fields of user profiles in Snipe\u2011IT v8.3.0\u20138.3.1 when the profile\u2019s Display Name field is left blank. When another user views the Activity Report or the modified profile, the injected code runs in that user\u2019s browser session. The description implies this could allow client\u2011side attacks such as credential theft or phishing, but these specific outcomes are inferred from typical XSS effects.", "risk_and_exploitability": "The CVSS score of 5.4 represents medium severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog. Exploitation requires an authenticated session and a target profile lacking a Display Name; the attacker must also have permission to view the Activity Report or the modified profile for the malicious script to execute. Because the vulnerability is reachable via the web interface and affects authenticated users, the risk is partly mitigated by user\u2011level controls but remains for environments where the low\u2011privilege accounts can edit profiles and view reports."}}}}, "created": "2026-04-14T16:21:50.149455+00:00", "title": "Authenticated XSS in Snipe\u2011IT via Name and Surname Fields", "updated": "2026-04-15T15:45:07.538465+00:00", "vendors": ["grokability", "grokability$PRODUCT$snipe-it"]}