Skip to main content

Glpi CVE-2024-50339

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2024-12-12 security-advisories@github.com
9.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Dec 12, 2024 - 02:06 cve.org
CRITICAL 9.3

DescriptionCVE.org

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

AnalysisAI

GLPI is a free asset and IT management software package. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue. Affected products include: Glpi-Project Glpi. Version information: version 9.5.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Glpi

View all
CVE-2013-5696 MEDIUM POC
6.8 Sep 23

inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installati

CVE-2025-24799 HIGH POC
7.5 Mar 18

GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers ca

CVE-2022-35914 CRITICAL POC
9.8 Sep 19

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. Rat

CVE-2022-31056 CRITICAL POC
9.8 Jun 28

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking an

CVE-2013-2225 MEDIUM POC
6.4 May 27

inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _pr

CVE-2024-27756 HIGH POC
8.8 Mar 15

GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title. Rated high

CVE-2020-11060 HIGH POC
8.8 May 12

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Rated high severity (

CVE-2019-14666 HIGH POC
8.8 Sep 25

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. Rated hig

CVE-2014-9258 MEDIUM POC
6.5 Dec 19

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to exec

CVE-2024-29889 HIGH POC
8.1 May 07

GLPI is a Free Asset and IT Management Software package. Rated high severity (CVSS 8.1), this vulnerability is remotely

CVE-2013-2226 HIGH POC
7.5 May 14

Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands vi

CVE-2016-7508 HIGH POC
7.5 Jun 21

Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL co

Share

CVE-2024-50339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy