CVE-2024-47759 MEDIUM

CVE-2024-47759: GLPI has a stored XSS via document upload

Vendor Glpi-Project
Product glpi
Weakness CWE-79 · XSS
Published November 15, 2024
Last update November 21, 2024

CVSS base score

6.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.

Key dates

02Disclosure timeline

November 15, 2024 CVE published
November 21, 2024 Record updated