CVE-2023-5452: 
PHP vulnerability analysis and mitigation

A Stored Cross-site Scripting (XSS) vulnerability was discovered in GitHub repository snipe/snipe-it prior to version 6.2.2. The vulnerability was assigned CVE-2023-5452 and was disclosed on October 6, 2023. This security issue affects the Snipe-IT asset management system (NVD).

The vulnerability has been assessed with a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). The vulnerability specifically relates to stored XSS in the asset history functionality where values were not properly escaped (NVD, GitHub Patch).

The vulnerability could allow an attacker to execute malicious scripts in the context of other users' browsers, potentially leading to theft of sensitive information, session hijacking, or other client-side attacks. The CVSS scoring indicates that while the vulnerability requires low attack complexity, it has limited potential for confidentiality and integrity impacts (NVD).

The vulnerability has been patched in Snipe-IT version 6.2.2. Users are advised to upgrade to this version or later to mitigate the risk. The fix involves properly escaping asset history old and new values using Laravel's e() function (GitHub Patch).