Scan free
CRITICALCVE-2022-1380CVSS 9.1

CVE-2022-1380: Stored XSS in Snipe-IT Asset Management

Platform

php

Component

snipe/snipe-it

Fixed in

v5.4.3

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2022-1380 is a critical stored Cross-Site Scripting (XSS) vulnerability affecting Snipe-IT versions up to and including v5.4.3. This vulnerability allows attackers to inject malicious scripts through the Item name parameter, potentially leading to cookie theft and account compromise. The vulnerability was published on April 16, 2022, and a patch is available in version v5.4.3.

Impact and Attack Scenarios

The primary impact of CVE-2022-1380 is the potential for attackers to steal user cookies. Successful exploitation allows an attacker to impersonate a legitimate user, gaining unauthorized access to sensitive data and performing actions on behalf of the victim. This could include modifying asset records, accessing financial information, or even gaining administrative control of the Snipe-IT instance. The stored nature of the XSS means that the malicious script persists on the server, potentially affecting multiple users over time. This vulnerability shares similarities with other XSS attacks where cookie theft is a primary goal, enabling session hijacking and further compromise.

Exploitation Context

CVE-2022-1380 is a publicly known vulnerability with a high CVSS score. Public proof-of-concept exploits are likely to emerge, increasing the risk of exploitation. While no confirmed active exploitation campaigns have been publicly reported as of this writing, the ease of exploitation and the potential impact make it a high-priority vulnerability. The vulnerability was disclosed on April 16, 2022.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.25% (48% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentsnipe/snipe-it
Vendorsnipe
Affected rangeFixed in
unspecified – v5.4.3v5.4.3

Package Information

Last updated
8.5.0recently

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2022-1380 is to immediately upgrade Snipe-IT to version v5.4.3 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Item name parameter to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor Snipe-IT logs for suspicious activity, particularly unusual script execution or attempts to access sensitive data.

How to fix

Actualice Snipe-IT a la versión 5.4.3 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS almacenada. Puede descargar la última versión desde el sitio web oficial o el repositorio de GitHub.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-1380 — Stored XSS in Snipe-IT?

CVE-2022-1380 is a critical stored XSS vulnerability in Snipe-IT versions up to v5.4.3, allowing attackers to inject malicious scripts through the Item name parameter.

Am I affected by CVE-2022-1380 in Snipe-IT?

Yes, if you are running Snipe-IT versions prior to v5.4.3, you are vulnerable to this XSS attack. Upgrade immediately.

How do I fix CVE-2022-1380 in Snipe-IT?

Upgrade Snipe-IT to version v5.4.3 or later. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.

Is CVE-2022-1380 being actively exploited?

While no confirmed active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a high risk of future attacks.

Where can I find the official Snipe-IT advisory for CVE-2022-1380?

Refer to the Snipe-IT security advisory on their GitHub repository: https://github.com/snipe/snipe-it/security/advisories/GHSA-5p7g-x49w-999c

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs