Lucene search

[email protected]NVD:CVE-2023-22722

HistoryJan 26, 2023 - 9:18 p.m.

CVE-2023-22722

2023-01-2621:18:12

CWE-79

[email protected]

web.nvd.nist.gov

glpi

asset management

it management

cross-site scripting

cve-2023-22722

security vulnerability

url exploitation

session cookies

version 10.0.6 patch

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

32.0%

JSON

GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6.

Affected configurations

Nvd

Node

glpi-projectglpiRange9.4.0–9.5.12

glpi-projectglpiRange10.0.0–10.0.6

VendorProductVersionCPE
glpi-projectglpi*cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
glpi-project	glpi	*	cpe:2.3:a:glpi-project:glpi::::::::

References

github.com/glpi-project/glpi/security/advisories/GHSA-352j-wr38-493c

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

32.0%

JSON

Related for NVD:CVE-2023-22722

prion1 cve1 cvelist1 osv1 ubuntucve1 altlinux2 redos1