CVE-2025-59712: Snipe-IT allows XSS

The vulnerability analysis began by examining the release notes for Snipe-IT version 8.1.18, the patched version. The release notes explicitly mentioned a fix for escaping user_agent and remote_ip variables in API results, referencing pull request #17330. By inspecting this pull request and its associated commit, I identified the exact code change that addressed the vulnerability. The commit diff clearly shows that the e() (escape) function was added to the remote_ip and user_agent fields within the transformActionlog method of the ActionlogsTransformer.php file. This indicates that prior to the patch, these values were being returned unescaped, creating a Cross-Site Scripting (XSS) vulnerability. When action logs were retrieved via the API, any malicious scripts stored in the user_agent or remote_ip fields would be rendered, leading to execution in the client's browser. Therefore, the transformActionlog function is the identified vulnerable function as it was responsible for processing and returning the unescaped, potentially malicious data.