OpenCVE

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Glpi-project	Glpi

Configuration 1 [-]

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c

History

Tue, 19 Nov 2024 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Glpi-project Glpi-project glpi
CPEs		cpe:2.3:a:glpi-project:glpi::::::::
Vendors & Products		Glpi-project Glpi-project glpi

Fri, 15 Nov 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 15 Nov 2024 20:30:00 +0000

Type	Values Removed	Values Added
Description		GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.
Title		GLPI has a reflected XSS in ajax/cable.php
Weaknesses		CWE-79
References		https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-15T20:14:33.893Z

Updated: 2024-11-15T21:10:37.523Z

Reserved: 2024-09-02T16:00:02.425Z

Link: CVE-2024-45610

Vulnrichment

Updated: 2024-11-15T21:10:24.725Z

NVD

Status : Analyzed

Published: 2024-11-15T21:15:09.370

Modified: 2024-11-19T21:07:46.790

Link: CVE-2024-45610

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45610", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-02T16:00:02.425Z", "datePublished": "2024-11-15T20:14:33.893Z", "dateUpdated": "2024-11-15T21:10:37.523Z"}, "containers": {"cna": {"title": "GLPI has a reflected XSS in ajax/cable.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 10.0.0, < 10.0.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-15T20:14:33.893Z"}, "descriptions": [{"lang": "en", "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17."}], "source": {"advisory": "GHSA-vvr8-chwj-9m4c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-15T21:10:20.262720Z", "id": "CVE-2024-45610", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T21:10:37.523Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45610", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-15T21:10:20.262720Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T21:10:24.725Z"}}], "cna": {"title": "GLPI has a reflected XSS in ajax/cable.php", "source": {"advisory": "GHSA-vvr8-chwj-9m4c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 10.0.0, < 10.0.17"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-15T20:14:33.893Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45610", "state": "PUBLISHED", "dateUpdated": "2024-11-15T21:10:37.523Z", "dateReserved": "2024-09-02T16:00:02.425Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-15T20:14:33.893Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8C93409-21A2-459E-9451-2D915D941D40", "versionEndExcluding": "10.0.17", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17."}, {"lang": "es", "value": "GLPI es un paquete de software de gesti\u00f3n de activos y TI de c\u00f3digo abierto que proporciona funciones de ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. Un usuario no autenticado puede proporcionar un enlace malicioso a un t\u00e9cnico de GLPI para explotar una vulnerabilidad XSS reflejado ubicada en el formulario Cable. Actualice a 10.0.17."}], "id": "CVE-2024-45610", "lastModified": "2024-11-19T21:07:46.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-15T21:15:09.370", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}