CVE-2023-28636 MEDIUM

CVE-2023-28636: GLPI vulnerable to stored Cross-site Scripting in external links

Vendor Glpi-Project
Product glpi
Weakness CWE-79 · XSS
Published April 5, 2023
Last update February 10, 2025
View on NVD All CVEs

CVSS base score

4.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

Key dates

02Disclosure timeline

April 5, 2023 CVE published
February 10, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-37338 WordPress Blossom Recipe Maker plugin <= 1.0.7 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities CVE-2023-24508 Remote Code Execution in Baicells RTS Platform CVE-2024-13196 donglight bookstore电商书城系统说明 BookInfoController.java BookSearchList cross site scripting CVE-2022-0208 MapPress Maps for WordPress < 2.73.4 - Reflected Cross-Site scripting CVE-2023-20104 Cisco Webex App for Web Cross-Site Scripting Vulnerability