## **Product Info**
Snipe-IT is a free and open-source IT asset management system (FOSS) built on **Laravel**. It provides hardware asset tracking, software license management, accessories, and consumables inventory features for IT operations teams. It is actively maintained and updated frequently.
### **Summary**
A reflected cross-site scripting (XSS) vulnerability exists in **Snipe-IT v8.3.4 (build 202118)** within the CSV import workflow. When an invalid CSV file is uploaded, the application returns a **progress_message** value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the **POST `/livewire/update`** request and inject arbitrary JavaScript into the **progress_message** parameter.
Because the server does not sanitize or validate this field before reflecting it back to the client, the injected payload executes in the browser of any authenticated admin viewing the Import page, leading to arbitrary JavaScript execution in a privileged context.
## **Affected Product**
- **Product:** snipe-it - v8.3.4
- **Vendor:** Grokability
- **Repository:** [https://github.com/grokability/snipe-it](https://github.com/grokability/snipe-it)
## **Affected Component**
- CSV Import UI (`/import`)
- Livewire frontend component
- POST `/livewire/update` request payload
- `progress_message` variable
## **CVSS v3.1 Base Score**
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L
## **Attack Vector**
An attacker must cause the admin to upload an invalid CSV file (or simulate the workflow). During the process, the client sends a Livewire update containing the `progress_message` field. By intercepting this request via a proxy (Burp Suite, MitM, etc.), the attacker can modify the request body and inject JavaScript into the `progress_message`.
The server accepts the modified input **without sanitization** and reflects the tainted value directly back into rendered HTML. When the admin loads or refreshes the import status screen, the injected payload executes.
```json