Headline
CVE-2023-34244: Reflected XSS in search pages
GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch.
Moderate
trasher published GHSA-p93p-pwg9-w95w
Jul 5, 2023
Affected versions
>= 9.4.0
Description
Impact
A malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link.
Patches
Upgrade to 10.0.8
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
CVSS base metrics
User interaction
Required
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses