Headline
CVE-2022-39371: Stored XSS through asset inventory
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly neutralized. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.
Package
glpi (glpi)
Affected versions
>= 10.0.0
Patched versions
10.0.4
Description
Impact
Script related HTML tags in assets inventory information are not properly neutralized.
Patches
Upgrade to 10.0.4.
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
High
7.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID
CVE-2022-39371
Weaknesses
CWE-80