GitHub_MCVELIST:CVE-2023-28633CVE-2023-28633 GLPI vulnerable to Blind Server-Side Request Forgery (SSRF) in RSS feeds
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
6.4 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
30.8%
GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
CNA Affected
[
{
"vendor": "glpi-project",
"product": "glpi",
"versions": [
{
"version": ">= 0.84, < 9.5.13",
"status": "affected"
},
{
"version": ">= 10.0.0, < 10.0.7",
"status": "affected"
}
]
}
]Related
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
6.4 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
30.8%