Tienna-0051

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.17 **Description** The issue is related to the lack of protection of the web page structure in GLPI, allowing for a remote attacker to conduct a cross-site scripting (XSS) attack. An authenticated user can bypass access control policies to create a private RSS feed attached to another user's account and use a malicious payload to trigger a stored XSS. **Recommendations** For versions prior to 10.0.17, upgrade to version 10.0.17 to resolve the issue. As a temporary workaround, consider restricting access to the RSS feed feature to minimize the risk of exploitation. Additionally, restrict the ability of authenticated users to attach malicious payloads to other user accounts.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.17 **Description** The issue is related to a reflected XSS vulnerability located in the Cable form of GLPI, an open-source asset and IT management software package. This vulnerability can be exploited by an unauthenticated user providing a malicious link to a GLPI technician. The exploitation of this vulnerability may allow a remote attacker to conduct a cross-site scripting (XSS) attack. **Recommendations** For versions prior to 10.0.17, upgrade to version 10.0.17 to resolve the issue. As a temporary workaround, consider restricting access to the Cable form until the upgrade is applied. Avoid providing or clicking on suspicious links from untrusted sources to minimize the risk of exploitation.