CVE-2024-27914

MEDIUM

GLPI 10.0.8-10.0.12 - Unauthenticated Reflected Cross-Site Scripting via Debug Bar

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-27914. PoCs published by shellkraft.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2024-27914, a reflected XSS vulnerability in GLPI's debug mode. The exploit requires an administrator to click a malicious link, triggering the XSS payload in the debug bar.

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

Exploits (1)

nomisec WORKING POC
by shellkraft · poc
https://github.com/shellkraft/CVE-2024-27914

This repository contains a proof-of-concept for CVE-2024-27914, a reflected XSS vulnerability in GLPI's debug mode. The exploit requires an administrator to click a malicious link, triggering the XSS payload in the debug bar.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: GLPI >= 10.0.8 (patched in 10.0.13)
No auth needed
Prerequisites: GLPI instance in debug mode · Administrator interaction
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.3
EPSS 0.0081
EPSS Percentile 52.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
glpi-project/glpi 10.0.8 - 10.0.13
Published Mar 18, 2024
Tracked Since Feb 18, 2026