5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
30.7%
GLPI is a Free Asset and IT Management Software package, that provides ITIL
Service Desk features, licenses tracking and software auditing. In versions
prior to 10.0.0 one can use ticket’s followups or setup login messages with
a stylesheet link. This may allow for a cross site scripting attack vector.
This issue is partially mitigated by cors security of browsers, though
users are still advised to upgrade.
github.com/glpi-project/glpi/blob/10.0/bugfixes/CHANGELOG.md#1000-2022-04-20
github.com/glpi-project/glpi/commit/ac9f1f03c5d2545b7e290197dbfebc3f752f810e
github.com/glpi-project/glpi/releases/tag/10.0.0
github.com/glpi-project/glpi/security/advisories/GHSA-p94c-8qp5-gfpx
launchpad.net/bugs/cve/CVE-2022-24869
nvd.nist.gov/vuln/detail/CVE-2022-24869
security-tracker.debian.org/tracker/CVE-2022-24869
www.cve.org/CVERecord?id=CVE-2022-24869
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
30.7%