Xanhacks

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.6 **Description** The issue concerns cross-site scripting via malicious RSS feeds. An administrator can import a malicious RSS feed containing Cross Site Scripting (XSS) payloads inside RSS links. When victims visit the RSS content and click on the link, they will execute the Javascript. **Recommendations** For versions prior to 10.0.6, update to version 10.0.6 to resolve the issue. As a temporary workaround, consider restricting the import of RSS feeds from untrusted sources to minimize the risk of exploitation. Avoid clicking on links from RSS feeds that may contain malicious payloads until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.4 **Description** The issue allows an administrator to store malicious code in an entity name. This can potentially lead to security breaches. The estimated number of potentially affected devices is not specified. **Recommendations** For versions prior to 10.0.4, upgrade to version 10.0.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.4 **Description** The issue is related to improper input validation in the GLPI system, which can be exploited by a remote attacker to impact the system's integrity. Users may be able to inject custom field values in `mailto` links. **Recommendations** For versions prior to 10.0.4, upgrade to version 10.0.4 to resolve the issue. As a temporary workaround, consider restricting the use of custom fields in `mailto` links until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.4 **Description** The issue is related to the improper neutralization of input data during web page generation, which may allow a remote attacker to execute arbitrary code. Users may be able to create a public RSS feed to inject malicious code in dashboards of other users. **Recommendations** For versions prior to 10.0.4, upgrade to version 10.0.4 to resolve the issue. At the moment, there is no information about other workarounds for this issue.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 10.0.0 through 10.0.5 **Description** The issue is related to Cross-site Scripting, where an administrator can store malicious code in help links. This can be exploited by a remote attacker to save arbitrary code in the help links. The problem is patched in version 10.0.6. **Recommendations** For GLPI versions 10.0.0 through 10.0.5, update to version 10.0.6 to resolve the issue. As a temporary workaround, consider restricting access to the help links feature until the update is applied.