CVE-2023-22722 MEDIUM

CVE-2023-22722: glpi subject to Cross-site Scripting (XSS) - Reflected

Vendor Glpi-Project
Product glpi
Weakness CWE-79 · XSS
Published January 25, 2023
Last update March 10, 2025
View on NVD All CVEs

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6.

Key dates

02Disclosure timeline

January 25, 2023 CVE published
March 10, 2025 Record updated