Headline
CVE-2022-39375: XSS through public RSS feed
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to create a public RSS feed to inject malicious code in dashboards of other users. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.
Moderate
trasher published GHSA-fxcx-93fq-8r9g
Nov 3, 2022
Package
glpi (glpi)
Affected versions
>= 0.84
Patched versions
10.0.4
Description
Impact
User may create a public RSS feed to inject malicious code in dashboard of other users.
Patches
Upgrade to 10.0.4.
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
Moderate
4.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CVE ID
CVE-2022-39375
Weaknesses
CWE-79
Credits
- xanhacks