CVE-2022-1445: 
PHP vulnerability analysis and mitigation

CVE-2022-1445 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in the checked_out_to parameter in GitHub repository snipe/snipe-it versions prior to 5.4.3. The vulnerability was disclosed on April 24, 2022, and affects the Snipe-IT asset management system (NVD, CVE).

The vulnerability exists due to improper sanitization of the checked_out_to parameter in the asset management system. When exploited, this XSS vulnerability could allow an attacker to steal user cookies through malicious script execution. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) by NVD and 9.0 (CRITICAL) by huntr.dev (NVD).

The successful exploitation of this vulnerability could lead to the theft of user cookies, potentially allowing attackers to hijack user sessions and gain unauthorized access to the application. This could compromise user accounts and sensitive information stored within the Snipe-IT system (NVD).

The vulnerability has been patched in version 5.4.3 of Snipe-IT. The fix involves properly escaping the checkout_target value using the e() function before output. Users are strongly recommended to upgrade to version 5.4.3 or later to mitigate this vulnerability (GitHub Patch).