Vulnerability Description
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | < 10.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/commit/1aa9fcc4741a46fa5a9f11d71b409b911ffcPatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-9hg4-fpwv-gx78Third Party Advisory
- https://github.com/glpi-project/glpi/commit/1aa9fcc4741a46fa5a9f11d71b409b911ffcPatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-9hg4-fpwv-gx78Third Party Advisory
FAQ
What is CVE-2022-24868?
CVE-2022-24868 is a vulnerability with a CVSS score of 7.3 (HIGH). GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of saniti...
How severe is CVE-2022-24868?
CVE-2022-24868 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24868?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.