CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
25.7%
GLPI is a free asset and IT management software package. Starting in
version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with
dashboard administration rights may hack the dashboard form to store
malicious code that will be executed when other users will use the related
dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
github.com/glpi-project/glpi/releases/tag/10.0.7
github.com/glpi-project/glpi/releases/tag/9.5.13
github.com/glpi-project/glpi/security/advisories/GHSA-65gq-p8hg-7m92
launchpad.net/bugs/cve/CVE-2023-28852
nvd.nist.gov/vuln/detail/CVE-2023-28852
security-tracker.debian.org/tracker/CVE-2023-28852
www.cve.org/CVERecord?id=CVE-2023-28852