CVE-2024-27914

Reflected Cross-Site Scripting (XSS) in search engine when debug mode is enabled in GLPI

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

GLPI es un paquete gratuito de software de gestión de TI y activos, gestión de centros de datos, ITIL Service Desk, seguimiento de licencias y auditoría de software. Un usuario no autenticado puede proporcionar un enlace malicioso a un administrador GLPI para explotar una vulnerabilidad XSS reflejado. El XSS solo se activará si el administrador navega por la barra de depuración. Este problema se solucionó en la versión 10.0.13.

*Credits: N/A

CVSS Scores

GitHubv3.1 5.3

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-28 CVE Reserved
2024-03-18 CVE Published
2024-03-19 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95	X_refsource_misc
https://github.com/glpi-project/glpi/releases/tag/10.0.13	X_refsource_misc
https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Glpi-project Search vendor "Glpi-project"		Glpi Search vendor "Glpi-project" for product "Glpi"				>= 10.0.8 < 10.0.13 Search vendor "Glpi-project" for product "Glpi" and version " >= 10.0.8 < 10.0.13"		en		Affected