snipe/snipe-it is vulnerable to cross-site scripting (XSS). User input are not escaped before being displayed on a user’s browser, allowing remote attackers to inject arbitrary Javascript into a victim’s browser via log_meta
values and user’s last name in the API.