CVE-2023-22724 - OpenCVE

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Glpi-project	Glpi

Configuration 1 [-]

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-01-25T05:55:10.180Z

Updated: 2024-08-02T10:13:50.187Z

Reserved: 2023-01-06T14:21:05.890Z

Link: CVE-2023-22724

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-26T21:18:12.770

Modified: 2023-11-07T04:07:17.167

Link: CVE-2023-22724

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22724", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-06T14:21:05.890Z", "datePublished": "2023-01-25T05:55:10.180Z", "dateUpdated": "2024-08-02T10:13:50.187Z"}, "containers": {"cna": {"title": "glpi contains XSS in RSS Description Link", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": "< 10.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-25T05:55:10.180Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.\n"}], "source": {"advisory": "GHSA-x9g4-j85w-cmff", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:13:50.187Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "B025E2D5-B467-460F-A5B0-053D46B581E6", "versionEndExcluding": "10.0.6", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.\n"}, {"lang": "es", "value": "GLPI es un paquete gratuito de software de gesti\u00f3n de TI y activos. Las versiones anteriores a la 10.0.6 est\u00e1n sujetas a cross-site scripting a trav\u00e9s de canales RSS maliciosos. Un administrador puede importar una fuente RSS maliciosa que contenga payloads de Cross Site Scripting (XSS) dentro de enlaces RSS. Las v\u00edctimas que deseen visitar un contenido RSS y hacer clic en el enlace ejecutar\u00e1n el Javascript. Este problema se solucion\u00f3 en 10.0.6."}], "id": "CVE-2023-22724", "lastModified": "2023-11-07T04:07:17.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-01-26T21:18:12.770", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}