CVE-2024-27104 - Vulnerability Details - OpenCVE

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00373.

Key SSVC decision points have not yet been added.

Vendors	Products
Glpi-project	Glpi

Configuration 1 [-]

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-24354	GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65
https://github.com/glpi-project/glpi/releases/tag/10.0.13
https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj

History

Thu, 02 Jan 2025 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Glpi-project Glpi-project glpi
CPEs		cpe:2.3:a:glpi-project:glpi::::::::
Vendors & Products		Glpi-project Glpi-project glpi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-18T16:16:38.709Z

Updated: 2024-08-26T14:00:56.673Z

Reserved: 2024-02-19T14:43:05.994Z

Link: CVE-2024-27104

Vulnrichment

Updated: 2024-08-02T00:27:59.887Z

NVD

Status : Analyzed

Published: 2024-03-18T17:15:06.890

Modified: 2025-01-02T15:47:16.617

Link: CVE-2024-27104

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27104", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-19T14:43:05.994Z", "datePublished": "2024-03-18T16:16:38.709Z", "dateUpdated": "2024-08-26T14:00:56.673Z"}, "containers": {"cna": {"title": "Stored XSS in dashboards in GLPI", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj"}, {"name": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 9.5.0, < 10.0.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T16:16:38.709Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.\n"}], "source": {"advisory": "GHSA-prc3-cx5m-h5mj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.887Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj"}, {"name": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}]}, {"affected": [{"vendor": "glpi-project", "product": "glpi", "cpes": ["cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.5.0", "status": "affected", "lessThan": "10.0.13", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-18T19:10:22.710585Z", "id": "CVE-2024-27104", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T14:00:56.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65", "name": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.887Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27104", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-18T19:10:22.710585Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*"], "vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": "9.5.0", "lessThan": "10.0.13", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T13:55:00.521Z"}}], "cna": {"title": "Stored XSS in dashboards in GLPI", "source": {"advisory": "GHSA-prc3-cx5m-h5mj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 9.5.0, < 10.0.13"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65", "name": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T16:16:38.709Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27104", "state": "PUBLISHED", "dateUpdated": "2024-08-26T14:00:56.673Z", "dateReserved": "2024-02-19T14:43:05.994Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-18T16:16:38.709Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C74E461-8C32-4A60-BDEF-57969DABC409", "versionEndExcluding": "10.0.13", "versionStartIncluding": "9.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.\n"}, {"lang": "es", "value": "GLPI es un paquete gratuito de software de gesti\u00f3n de TI y activos, gesti\u00f3n de centros de datos, ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. Un usuario con derechos para crear y compartir paneles puede crear un panel que contenga c\u00f3digo javascript. Cualquier usuario que abra este panel estar\u00e1 sujeto a un ataque XSS. Este problema se solucion\u00f3 en la versi\u00f3n 10.0.13."}], "id": "CVE-2024-27104", "lastModified": "2025-01-02T15:47:16.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-18T17:15:06.890", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-prc3-cx5m-h5mj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}