CVE-2023-28639 in GLPI
Summary
by MITRE • 04/05/2023
GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/07/2025
The vulnerability identified as CVE-2023-28639 affects GLPI, a widely-used open-source asset and IT management software package that serves organizations globally for maintaining inventory, tracking tickets, and managing IT infrastructure. This security flaw represents a significant concern for organizations relying on GLPI for their IT asset management operations, as it enables attackers to exploit a reflected cross-site scripting vulnerability that can compromise authenticated users within the system. The vulnerability exists in GLPI versions starting from 0.85 through the affected versions prior to 9.5.13 and 10.0.7, creating a substantial window of exposure for potentially thousands of installations worldwide.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding within GLPI's web application interface. An unauthenticated attacker can craft a malicious URL containing crafted script payloads that, when accessed by any authenticated user, will execute within the victim's browser context. This reflected XSS occurs because the application fails to properly sanitize user-supplied input parameters before incorporating them into dynamically generated web pages. The vulnerability specifically manifests when authenticated users click on the maliciously crafted link, which then gets reflected back to the user's browser without proper sanitization, allowing the attacker's script to execute within the victim's session context.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a range of malicious activities within the authenticated user's session. Attackers could potentially steal session cookies, redirect users to malicious sites, modify page content, or even escalate privileges if the authenticated user possesses administrative rights. The vulnerability's exploitation requires minimal prerequisites since it only requires an authenticated user to click a crafted link, making it particularly dangerous in environments where users frequently interact with external links or where phishing attacks are common. Organizations may face data breaches, unauthorized access to sensitive IT assets, and potential system compromise if this vulnerability remains unpatched.
Organizations utilizing GLPI should immediately prioritize updating their installations to versions 9.5.13 or 10.0.7, which contain the necessary patches to address this reflected XSS vulnerability. System administrators should conduct comprehensive vulnerability assessments to identify all affected GLPI installations within their environment, particularly focusing on versions that fall within the vulnerable range. Additionally, implementing network-level protections such as web application firewalls and monitoring for suspicious URL patterns can provide additional defense-in-depth measures. The vulnerability aligns with CWE-79, which categorizes cross-site scripting flaws as a critical web application security weakness, and represents a technique commonly referenced in ATT&CK framework under T1059.001 for command and scripting interpreter execution. Regular security audits and patch management processes should be enhanced to ensure timely remediation of similar vulnerabilities in other enterprise applications, as reflected XSS attacks continue to represent one of the most prevalent attack vectors in web application security.