CVE-2023-22724
MEDIUMGLPI 10.0.0-10.0.5 - Stored Cross-Site Scripting via RSS Feed Import
Title source: llmDescription
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff
Scores
CVSS v3
6.2
EPSS
0.0032
EPSS Percentile
54.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
glpi-project/glpi
10.0.0 - 10.0.6
Published
Jan 26, 2023
Tracked Since
Feb 18, 2026