CVE-2022-24869 — Cross-site Scripting in Glpi

CWE-79 — Cross-site Scripting1 documents1 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 45.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedApr 21

Description

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDglpi-project/glpi0.90

▶CVEListV5glpi-project/glpi>= 0.90, < 10.0.0

Patches

Patch: github.com ↗Patch: github.com ↗