CVE-2023-28636 GLPI vulnerable to stored Cross-site Scripting in external links

2023-04-0517:21:22

CWE-79

GitHub_M

www.cve.org

cve-2023-28636

glpi

cross-site scripting

external links

administrator

version 0.60

it management software

vulnerability

CVSS3

4.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

25.7%

JSON

GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

CNA Affected

[
  {
    "vendor": "glpi-project",
    "product": "glpi",
    "versions": [
      {
        "version": ">= 0.60, < 9.5.13",
        "status": "affected"
      },
      {
        "version": ">= 10.0.0, < 10.0.7",
        "status": "affected"
      }
    ]
  }
]