GLPI Dashboard XSS Vulnerability
CVE-2024-27104

4.8MEDIUM

Key Information:

Vendor
Glpi-project
Status
Glpi
Vendor
CVE Published:
18 March 2024

Summary

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.

Affected Version(s)

glpi >= 9.5.0, < 10.0.13

References

https://github.com/glpi-project/glpi/security/advisories/...
x_refsource_CONFIRM
https://github.com/glpi-project/glpi/commit/b409ca4378646...
x_refsource_MISC
https://github.com/glpi-project/glpi/releases/tag/10.0.13
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.