CVE-2022-39276 LOW

CVE-2022-39276: Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning

Vendor Glpi-Project
Product glpi
Weakness CWE-918 · SSRF
Published November 3, 2022
Last update April 22, 2025
View on NVD All CVEs

CVSS base score

3.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit. In case a remote script returns a redirect response, the redirect target URL is not checked against the URL allow list defined by administrator. This issue has been patched, please upgrade to 10.0.4. There are currently no known workarounds.

Key dates

02Disclosure timeline

November 3, 2022 CVE published
April 22, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-13834 Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme <= 3.1.4 - Authenticated (Contributor+) Blind Server-Side Request Forgery via remote_request CVE-2023-49799 Server-Side Request Forgery in nuxt-api-party CVE-2023-51697 Audiobookshelf vulnerable to Blind SSRF in `podcastUtils.js` CVE-2026-42184 Tauri: Origin Confusion Allows Remote Pages to Invoke Local-Only IPC Commands CVE-2025-59055 InstantCMS vulnerable to Server-Side Request Forgery via package installer