Snipe-IT prior to version 5.4.3 is vulnerable to stored cross-site scripting because the input to the checked_out_to parameter is not escaped. The vulnerability is capable of stealing a user's cookie.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-1445
• snipe/snipe-it@f623d05
• https://huntr.dev/bounties/f4420149-5236-4051-a458-5d4f1d5b7abd