Stored Cross Site Scripting vulnerability in Item name parameter in GitHub repository snipe/snipe-it prior to v5.4.3. The vulnerability is capable of stolen the user Cookie. Reference: https://huntr.dev/bounties/3d45cfca-3a72-4578-b735-98837b998a12 Upstream patch: https://github.com/snipe/snipe-it/commit/f211c11034baf4281aa62e7b5e0347248d995ee9
Created python-snipeit tracking bugs for this issue: Affects: epel-all [bug 2079001] Affects: fedora-all [bug 2079002]
Thanks for notification. Issue is fixed in new upstream version 5.4.3 already released that I'll care with new package builds.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Reported against wrong component. python-snipeit package is build from upstream https://github.com/jbloomer/SnipeIT-PythonAPI A package for snipe/snipe-it does actually not exist yet.