A vulnerability classified as problematic was found in GLPI up to 10.0.5 (Asset Management Software). Affected by this vulnerability is some unknown processing of the component RSS Feed Handler. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. The summary by CVE is:

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.

The weakness was disclosed 01/27/2023 as GHSA-x9g4-j85w-cmff. It is possible to read the advisory at github.com. This vulnerability is known as CVE-2023-22724 since 01/06/2023. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK.

Upgrading to version 10.0.6 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Asset Management Software

Name

• GLPI

Version

• 10.0.0
• 10.0.1
• 10.0.2
• 10.0.3
• 10.0.4
• 10.0.5

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion