Reflected XSS Vulnerability in GLPI IT Management Software
CVE-2025-21627

6.5MEDIUM

Key Information:

Vendor: GLPI Project
Status: Glpi
Vendor: CVE Published:; 25 February 2025

Summary

GLPI, a popular free asset and IT management software, is susceptible to a reflected XSS vulnerability in versions prior to 10.0.18. This security issue arises from the search page, where an attacker can craft a malicious link to exploit the vulnerability, especially if anonymous ticket creation is enabled. As a result, an unauthenticated user can potentially execute malicious scripts, compromising the security of the application and its users. The vulnerability has been addressed in version 10.0.18, which includes a fix to mitigate this risk.

Affected Version(s)

glpi < 10.0.18

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Dec 29, 2024