CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22724 – glpi contains XSS in RSS Description Link
https://notcve.org/view.php?id=CVE-2023-22724
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6. • https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22725 – glpi vulnerable to XSS on external links
https://notcve.org/view.php?id=CVE-2023-22725
GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6. GLPI es un paquete gratuito de software de gestión de TI y activos. • https://github.com/glpi-project/glpi/security/advisories/GHSA-f5g6-fxrw-pfj7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-23610 – glpi vulnerable to Unauthorized access to data export
https://notcve.org/view.php?id=CVE-2023-23610
GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6. GLPI es un paquete gratuito de software de gestión de TI y activos. • https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf • CWE-269: Improper Privilege Management CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39373 – Stored Cross-Site Scripting (XSS) in entity name in GLPI
https://notcve.org/view.php?id=CVE-2022-39373
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched, please upgrade to version 10.0.4. GLPI significa Gestionnaire Libre de Parc Informatique. • https://github.com/glpi-project/glpi/security/advisories/GHSA-cw37-q82c-w546 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39376 – Improper input validation on emails links in GLPI
https://notcve.org/view.php?id=CVE-2022-39376
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to inject custom fields values in `mailto` links. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. • https://github.com/glpi-project/glpi/security/advisories/GHSA-6rh5-m5g7-327w • CWE-20: Improper Input Validation •