CVE-2023-28639 MEDIUM

CVE-2023-28639: GLPI vulnerable to reflected Cross-site Scripting in search pages

Vendor Glpi
Product glpi
Weakness CWE-79 · XSS
Published April 5, 2023
Last update February 13, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7.

Key dates

02Disclosure timeline

April 5, 2023 CVE published
February 13, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-33051 Craft CMS Vulnerable to Stored XSS in Revision Context Menu CVE-2025-58746 Volkov Labs Business Links plugin vulnerable to privilege escalation attack CVE-2023-35155 XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email CVE-2024-9269 Relogo <= 0.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2021-36833 WordPress MC4WP plugin <= 4.8.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability