6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
26.2%
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset
and IT Management Software package, that provides ITIL Service Desk
features, licenses tracking and software auditing. Information associated
to registration key are not properly escaped in registration key
configuration page. They can be used to steal a GLPI administrator cookie.
Users are advised to upgrade to 10.0.3. There are no known workarounds for
this issue. ### Workarounds Do not use a registration key created by an
untrusted person.
github.com/glpi-project/glpi/commit/2b8f9aa54ae4a4ec07bde0c8db739a292b8ec09a
github.com/glpi-project/glpi/security/advisories/GHSA-jrgw-cx24-56x5
launchpad.net/bugs/cve/CVE-2022-35945
nvd.nist.gov/vuln/detail/CVE-2022-35945
security-tracker.debian.org/tracker/CVE-2022-35945
www.cve.org/CVERecord?id=CVE-2022-35945