CVE-2025-65622 is a stored cross-site scripting (XSS) vulnerability identified in the Snipe-IT asset management software prior to version 8.3.4. The vulnerability arises from insufficient sanitization of user input in the 'Country' field within the Locations module. A low-privileged authenticated user can inject arbitrary JavaScript code into this field, which is then stored persistently on the server. When other users view the affected Locations data, the malicious script executes in their browsers under the context of the legitimate application session. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of the victim, or the delivery of further malware payloads. The attack vector requires the attacker to have valid user credentials but does not require administrative privileges, making it accessible to a broader range of internal threat actors or compromised accounts. No public exploits have been reported yet, but the vulnerability is publicly disclosed and patched in version 8.3.4. The lack of a CVSS score necessitates an independent severity assessment. The vulnerability impacts confidentiality and integrity primarily, with potential availability impacts if exploited to disrupt user sessions or escalate privileges. The scope is limited to environments running vulnerable Snipe-IT versions with multiple users accessing the Locations module. The vulnerability highlights the importance of proper input validation and output encoding in web applications handling user-generated content.

For European organizations, the impact of CVE-2025-65622 can be significant in environments where Snipe-IT is used for asset management and multiple users have access to location data. Successful exploitation could allow attackers to hijack sessions of other users, potentially leading to unauthorized access to sensitive asset information, manipulation of asset records, or further lateral movement within the network. This could compromise the confidentiality and integrity of asset management data, which is critical for compliance, operational continuity, and security audits. Additionally, session hijacking could facilitate privilege escalation or unauthorized administrative actions if the victim has elevated rights. The vulnerability’s requirement for authentication limits exposure to internal or previously compromised users, but insider threats or phishing attacks could leverage this vector. European organizations in sectors with stringent asset tracking requirements, such as manufacturing, healthcare, and government, may face increased risk and regulatory scrutiny if exploited. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially after public disclosure.

To mitigate CVE-2025-65622, organizations should immediately upgrade Snipe-IT installations to version 8.3.4 or later, where the vulnerability is patched. In parallel, implement strict input validation on the 'Country' field and other user-supplied inputs to reject or sanitize potentially malicious scripts. Employ output encoding techniques to ensure that any user-generated content rendered in the browser does not execute as code. Conduct regular security audits and penetration testing focused on web application input handling. Limit user privileges to the minimum necessary, especially for users who can modify location data. Monitor application logs for unusual activity related to location updates or user sessions. Educate users about phishing and credential security to reduce the risk of account compromise. Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.