CVE-2023-22725

2023-01-2621:18:12

CWE-79

GitHub_M

web.nvd.nist.gov

glpi

free asset management

it management software

cross-site scripting

cve-2023-22725

security patch

CVSS3

6.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

23.5%

JSON

GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.

Affected configurations

Nvd

Vulners

Node

glpi-projectglpiRange0.60–9.5.12

glpi-projectglpiRange10.0.0–10.0.6

VendorProductVersionCPE
glpi-projectglpi*cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
glpi-project	glpi	*	cpe:2.3:a:glpi-project:glpi::::::::

CNA Affected

[
  {
    "vendor": "glpi-project",
    "product": "glpi",
    "versions": [
      {
        "version": ">=0.60, < 10.0.6",
        "status": "affected"
      }
    ]
  }
]