CVE-2021-21258 XSS injection in ajax/kanban

2021-03-0219:45:17

CWE-79

GitHub_M

www.cve.org

glpi

xss

vulnerability

ajax/kanban.php

version 9.5.0

version 9.5.4

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

EPSS

0.001

Percentile

19.4%

JSON

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using ajax/kanban.php. This is fixed in version 9.5.4.

CNA Affected

[
  {
    "product": "glpi",
    "vendor": "glpi-project",
    "versions": [
      {
        "status": "affected",
        "version": ">= 9.5.0, < 9.5.4"
      }
    ]
  }
]