免费扫描
CRITICALCVE-2022-1380CVSS 9.1

Stored Cross Site Scripting vulnerability in Item name parameter in snipe/snipe-it

翻译中…

平台

php

组件

snipe/snipe-it

修复版本

v5.4.3

AI Confidence: highNVDEPSS 0.2%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2022-1380 is a critical stored Cross-Site Scripting (XSS) vulnerability affecting Snipe-IT versions up to and including v5.4.3. This vulnerability allows attackers to inject malicious scripts through the Item name parameter, potentially leading to cookie theft and account compromise. The vulnerability was published on April 16, 2022, and a patch is available in version v5.4.3.

影响与攻击场景翻译中…

The primary impact of CVE-2022-1380 is the potential for attackers to steal user cookies. Successful exploitation allows an attacker to impersonate a legitimate user, gaining unauthorized access to sensitive data and performing actions on behalf of the victim. This could include modifying asset records, accessing financial information, or even gaining administrative control of the Snipe-IT instance. The stored nature of the XSS means that the malicious script persists on the server, potentially affecting multiple users over time. This vulnerability shares similarities with other XSS attacks where cookie theft is a primary goal, enabling session hijacking and further compromise.

利用背景翻译中…

CVE-2022-1380 is a publicly known vulnerability with a high CVSS score. Public proof-of-concept exploits are likely to emerge, increasing the risk of exploitation. While no confirmed active exploitation campaigns have been publicly reported as of this writing, the ease of exploitation and the potential impact make it a high-priority vulnerability. The vulnerability was disclosed on April 16, 2022.

哪些人处于风险中翻译中…

Organizations utilizing Snipe-IT for asset tracking, particularly those running versions prior to v5.4.3, are at risk. This includes businesses of all sizes, educational institutions, and any entity relying on Snipe-IT for managing IT assets. Shared hosting environments where Snipe-IT is installed are particularly vulnerable due to the potential for cross-tenant exploitation.

检测步骤翻译中…

• php / server:

find /var/www/snipe-it -name '*.php' -print0 | xargs -0 grep -i 'item name parameter'

• generic web:

curl -I <snipe-it-url>/items/new | grep -i 'set-cookie'

攻击时间线

  1. Disclosure

    disclosure

  2. Patch

    patch

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.25% (48% 百分位)

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H9.1CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件snipe/snipe-it
供应商snipe
影响范围修复版本
unspecified – v5.4.3v5.4.3

软件包信息

最后更新
8.5.0最近

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2022-1380 is to immediately upgrade Snipe-IT to version v5.4.3 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Item name parameter to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor Snipe-IT logs for suspicious activity, particularly unusual script execution or attempts to access sensitive data.

修复方法翻译中…

Actualice Snipe-IT a la versión 5.4.3 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS almacenada. Puede descargar la última versión desde el sitio web oficial o el repositorio de GitHub.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2022-1380 — Stored XSS in Snipe-IT?

CVE-2022-1380 is a critical stored XSS vulnerability in Snipe-IT versions up to v5.4.3, allowing attackers to inject malicious scripts through the Item name parameter.

Am I affected by CVE-2022-1380 in Snipe-IT?

Yes, if you are running Snipe-IT versions prior to v5.4.3, you are vulnerable to this XSS attack. Upgrade immediately.

How do I fix CVE-2022-1380 in Snipe-IT?

Upgrade Snipe-IT to version v5.4.3 or later. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.

Is CVE-2022-1380 being actively exploited?

While no confirmed active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a high risk of future attacks.

Where can I find the official Snipe-IT advisory for CVE-2022-1380?

Refer to the Snipe-IT security advisory on their GitHub repository: https://github.com/snipe/snipe-it/security/advisories/GHSA-5p7g-x49w-999c

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE