Unauthenticated User Can Trigger Reflected XSS Vulnerability in GLPI
CVE-2024-27914

6.1MEDIUM

Key Information:

Vendor
Glpi-project
Status
Glpi
Vendor
CVE Published:
18 March 2024

Summary

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

Affected Version(s)

glpi >= 10.0.8, < 10.0.13

References

https://github.com/glpi-project/glpi/security/advisories/...
x_refsource_CONFIRM
https://github.com/glpi-project/glpi/commit/69e0dee8de0c0...
x_refsource_MISC
https://github.com/glpi-project/glpi/releases/tag/10.0.13
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.