CVE-2022-24869
MEDIUMGLPI < 10.0.0 - Cross-Site Scripting via Ticket Followups or Login Message Stylesheet Link
Title source: llmDescription
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx
Patch, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/releases/tag/10.0.0
Scores
CVSS v3
4.6
EPSS
0.0074
EPSS Percentile
49.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
glpi-project/glpi
< 0.90
Published
Apr 21, 2022
Tracked Since
Feb 18, 2026