Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-39277— Cross-Site Scripting (XSS) in external links in GLPI

CVSS 4.5 · Medium EPSS 0.31% · P54
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-39277

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Cross-Site Scripting (XSS) in external links in GLPI
Source: NVD (National Vulnerability Database)
Vulnerability Description
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a Cross-Site Scripting (XSS) attack. This issue has been patched, please upgrade to GLPI 10.0.4. There are currently no known workarounds.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
GLPI 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口,你可以用它来建立数据库全面管理IT的电脑,显示器,服务器,打印机,网络设备,电话,甚至硒鼓和墨盒等。 GLPI 10.0.4之前版本存在跨站脚本漏洞,该漏洞源于外部链接未正确清理,可用于跨站脚本(XSS)攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
glpi-projectglpi >= 0.60, < 10.0.4 -

II. Public POCs for CVE-2022-39277

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2022-39277

登录查看更多情报信息。

Same Patch Batch · glpi-project · 2022-11-03 · 11 CVEs total

CVE-2022-393717.5 HIGHStored Cross-Site Scripting (XSS) through asset inventory in GLPI
CVE-2022-393237.4 HIGHSQL Injection on REST API in GLPI
CVE-2022-392625.2 MEDIUMStored Cross-Site Scripting (XSS) on login page in GLPI
CVE-2022-393734.9 MEDIUMStored Cross-Site Scripting (XSS) in entity name in GLPI
CVE-2022-392344.7 MEDIUMuser session persists even after permanently deleting account in GLPI
CVE-2022-393754.5 MEDIUMCross-Site Scripting (XSS) through public RSS feed in GLPI
CVE-2022-393704.3 MEDIUMImproper access to debug panel in GLPI
CVE-2022-392763.5 LOWBlind Server-Side Request Forgery (SSRF) in RSS feeds and planning
CVE-2022-393723.5 LOWStored Cross-Site Scripting (XSS) in user information in GLPI
CVE-2022-393762.6 LOWImproper input validation on emails links in GLPI

IV. Related Vulnerabilities

Same product: glpi
Same vendor: glpi-project
Same weakness: CWE-79

V. Comments for CVE-2022-39277

No comments yet

Leave a comment