CVE-2018-7563Cross-site Scripting in Glpi

CWE-79Cross-site Scripting6 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.5%
top 33.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Glpi-project Glpi
Timeline
PublishedMar 12
Latest updateMay 14

Description

An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query string to front/preference.php. An attacker is able to create a malicious URL that, if opened by an authenticated user with debug privilege, will execute JavaScript code supplied by the attacker. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystr

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-36vr-6mp8-v579: An issue was discovered in GLPI through 92022-05-14
OSV
CVE-2018-7563: An issue was discovered in GLPI through 92018-03-12

💬Community

3
Bugzilla
CVE-2018-7563 glpi: various flaws [fedora-all]2018-03-13
Bugzilla
CVE-2018-7563 glpi: various flaws [epel-7]2018-03-13
Bugzilla
CVE-2018-7563 glpi: XSS vulnerability in the query string to front/preference.php2018-03-13