Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| snipe/snipe-it(Packagist) | 0 | 8.3.4 | N/A |
CVSS Metrics
