GLPI is susceptible to Stored XSS attack through project’s kanban...

GLPI is susceptible to Stored XSS attack through project’s kanban

July 29, 2025 invoker category_cve

CVE Details

Basic Information

Title	GLPI is susceptible to Stored XSS attack through project’s kanban
Type	cve
Published	2025-07-29T17:39:28.813Z
Modified	2025-07-29T18:35:50.874Z

Product Information

Vendor	glpi-project
Product	glpi
Version	>= 9.5.0, < 10.0.19

CVSS Information

Base Score	4.5 (MEDIUM)
Attack Vector	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Affected Products

glpi-project glpi >= 9.5.0, < 10.0.19

Additional Information

CWE List	CWE-80, CWE-79
Source	GitHub_M

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project’s kanban. This is fixed in version 10.0.19.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-jh8j-gqxc-6gqj
https://github.com/glpi-project/glpi/commit/c340a64a11343bde706d1cd41e4be798dd922303

View Full CVE Details