Headline
CVE-2022-39372: Stored XSS in user information
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Authenticated users may store malicious code in their account information. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.
Package
glpi (glpi)
Affected versions
>= 0.70
Patched versions
10.0.4
Description
Impact
Authenticated user may store malicious code in its account information.
Patches
Upgrade to 10.0.4.
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
Low
3.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CVE ID
CVE-2022-39372
Weaknesses
CWE-80
Credits
- Edr4