CVE-2021-21325 MEDIUM

CVE-2021-21325: Stored XSS in budget type

Vendor Glpi-Project
Product glpi
Weakness CWE-79 · XSS
Published March 8, 2021
Last update August 3, 2024

CVSS base score

6.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a cross-site scripting attack. To exploit this endpoint attacker need to be authenticated. This is fixed in version 9.5.4.

Key dates

02Disclosure timeline

March 8, 2021 CVE published
August 3, 2024 Record updated