GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter

4.8 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inject malicious scripts through the companyname field that execute in the browsers of any administrator viewing the Templates > Groups page.

Basic Information

ID CVE-2026-23752

Source VulnCheck

Published Apr 20, 2026 at 17:33

Modified Apr 20, 2026 at 18:09

Affected Product

Vendor GFI Software

Product HelpDesk

Affected Versions GFI Software HelpDesk 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "GFI HelpDesk before\u00a04.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inject malicious scripts through the companyname field that execute in the browsers of any administrator viewing the Templates > Groups page.",
    "published": "2026-04-20T17:33:23.424Z",
    "modified": "2026-04-20T18:09:59.603Z",
    "type": "cve",
    "title": "GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter",
    "source": "VulnCheck",
    "references": "https://gfi.ai/products-and-solutions/email-and-messaging-solutions/helpdesk/resources/product-releases\nhttps://www.vulncheck.com/advisories/gfi-helpdesk-stored-xss-via-companyname-parameter",
    "id": "CVE-2026-23752",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "GFI Software HelpDesk 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "HelpDesk",
    "version": "0",
    "vendor": "GFI Software",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter_CVE-2026-23752