CVE-2023-28639

Summary

GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7.

Affected Software

VendorProductVersion RangeStatus
glpiglpi0.85 < 0.85*affected
glpiglpi9.5.13 < 9.5.13affected
glpiglpi10.0.0 < 10.0.0*affected
glpiglpi10.0.7 < 10.0.7affected

Weaknesses

  • CWE-79: CWE-79 Cross-site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References