CVE-2024-27914 - Vulnerability Details - OpenCVE

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Glpi-project	Glpi

Configuration 1 [-]

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95
https://github.com/glpi-project/glpi/releases/tag/10.0.13
https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r

History

Thu, 02 Jan 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Glpi-project Glpi-project glpi
CPEs		cpe:2.3:a:glpi-project:glpi::::::::
Vendors & Products		Glpi-project Glpi-project glpi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-18T16:19:00.298Z

Updated: 2024-08-02T15:25:55.247Z

Reserved: 2024-02-28T15:14:14.213Z

Link: CVE-2024-27914

Vulnrichment

Updated: 2024-08-02T00:41:55.731Z

NVD

Status : Analyzed

Published: 2024-03-18T17:15:07.130

Modified: 2025-01-02T15:30:15.373

Link: CVE-2024-27914

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27914", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-28T15:14:14.213Z", "datePublished": "2024-03-18T16:19:00.298Z", "dateUpdated": "2024-08-02T15:25:55.247Z"}, "containers": {"cna": {"title": "Reflected Cross-Site Scripting (XSS) in search engine when debug mode is enabled in GLPI", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r"}, {"name": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 10.0.8, < 10.0.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T16:19:00.298Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.\n"}], "source": {"advisory": "GHSA-rcxj-fqr4-q34r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.731Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r"}, {"name": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T15:25:44.198285Z", "id": "CVE-2024-27914", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T15:25:55.247Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27914", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-28T15:14:14.213Z", "datePublished": "2024-03-18T16:19:00.298Z", "dateUpdated": "2024-08-02T15:25:55.247Z"}, "containers": {"cna": {"title": "Reflected Cross-Site Scripting (XSS) in search engine when debug mode is enabled in GLPI", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r"}, {"name": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 10.0.8, < 10.0.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T16:19:00.298Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.\n"}], "source": {"advisory": "GHSA-rcxj-fqr4-q34r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.731Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r"}, {"name": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27914", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-02T15:25:44.198285Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T15:25:49.954Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2D3B124-BA18-450E-85B1-4D0BC6450567", "versionEndExcluding": "10.0.13", "versionStartIncluding": "10.0.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.\n"}, {"lang": "es", "value": "GLPI es un paquete gratuito de software de gesti\u00f3n de TI y activos, gesti\u00f3n de centros de datos, ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. Un usuario no autenticado puede proporcionar un enlace malicioso a un administrador GLPI para explotar una vulnerabilidad XSS reflejado. El XSS solo se activar\u00e1 si el administrador navega por la barra de depuraci\u00f3n. Este problema se solucion\u00f3 en la versi\u00f3n 10.0.13."}], "id": "CVE-2024-27914", "lastModified": "2025-01-02T15:30:15.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-18T17:15:07.130", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}