CVE-2024-27914

MEDIUM

Glpi < 10.0.13 - XSS

Title source: rule

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

Exploits (1)

nomisec WORKING POC

by shellkraft · poc

https://github.com/shellkraft/CVE-2024-27914

View Code ZIP pw:eip

References (3)

[Vendor Advisory] https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r

[Patch] https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95

[Release Notes] https://github.com/glpi-project/glpi/releases/tag/10.0.13

Scores

CVSS v3 5.3

EPSS 0.0266

EPSS Percentile 85.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

glpi-project/glpi 10.0.8 - 10.0.13

Published Mar 18, 2024

Tracked Since Feb 18, 2026