Headline
CVE-2023-22724: XSS in RSS Description Link
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.
Moderate
trasher published GHSA-x9g4-j85w-cmff
Jan 24, 2023
Package
glpi (glpi-project)
Affected versions
>= 10.0.0
Description
Impact
RSS feeds contents and links are not properly sanitized. Any user that has subscribed to a malicious RSS feed through its personal or through public RSS feeds can be victim of a XSS attack.
Patches
Upgrade to 10.0.6
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
CVSS base metrics
User interaction
Required
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses
Credits