CVE-2022-24876
Stored cross site scrpting in GLPI's Kanban
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Kanban is a GLPI view to display Projects, Tickets, Changes or Problems on a task board. In versions prior to 10.0.1 a user can exploit a cross site scripting vulnerability in Kanban by injecting HTML code in its user name. Users are advised to upgrade. There are no known workarounds for this issue.
GLPI es un paquete gratuito de software de administración de activos y TI, que proporciona funciones de Service Desk de ITIL, seguimiento de licencias y auditoría de software. Kanban es una visualización de GLPI para mostrar Proyectos, Tickets, Cambios o Problemas en un tablero de tareas. En las versiones anteriores a 10.0.1 un usuario puede explotar una vulnerabilidad de tipo cross site scripting en Kanban al inyectar código HTML en su nombre de usuario. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-06-09 CVE Published
- 2023-12-31 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/glpi-project/glpi/security/advisories/GHSA-33g2-m556-gccr | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/glpi-project/glpi/commit/9a3c7487c8761eaa8f3b07589d6dcdfa5d1e4ed6 | 2022-06-17 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Glpi-project Search vendor "Glpi-project" | Glpi Search vendor "Glpi-project" for product "Glpi" | 10.0.0 Search vendor "Glpi-project" for product "Glpi" and version "10.0.0" | - |
Affected
| ||||||
| Glpi-project Search vendor "Glpi-project" | Glpi Search vendor "Glpi-project" for product "Glpi" | 10.0.0 Search vendor "Glpi-project" for product "Glpi" and version "10.0.0" | beta |
Affected
| ||||||
| Glpi-project Search vendor "Glpi-project" | Glpi Search vendor "Glpi-project" for product "Glpi" | 10.0.0 Search vendor "Glpi-project" for product "Glpi" and version "10.0.0" | rc1 |
Affected
| ||||||
| Glpi-project Search vendor "Glpi-project" | Glpi Search vendor "Glpi-project" for product "Glpi" | 10.0.0 Search vendor "Glpi-project" for product "Glpi" and version "10.0.0" | rc2 |
Affected
| ||||||
| Glpi-project Search vendor "Glpi-project" | Glpi Search vendor "Glpi-project" for product "Glpi" | 10.0.0 Search vendor "Glpi-project" for product "Glpi" and version "10.0.0" | rc3 |
Affected
| ||||||