CVE-2022-39277 — Cross-site Scripting in Glpi

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)2 documents2 sources

Severity

4.8MEDIUMNVD

EPSS

0.3%

top 47.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedNov 3

Description

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a Cross-Site Scripting (XSS) attack. This issue has been patched, please upgrade to GLPI 10.0.4. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶NVDglpi-project/glpi0.60 — 10.0.4

▶CVEListV5glpi-project/glpi>= 0.60, < 10.0.4

Patches

Patch: huntr.dev ↗Patch: huntr.dev ↗

🔴Vulnerability Details

OSV

CVE-2022-39277: GLPI stands for Gestionnaire Libre de Parc Informatique↗2022-11-03

▶