CVE-2022-39262

CVSS v3.1

5.2

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 10.0.4

Description The issue is related to the improper neutralization of input data during web page generation, allowing a remote attacker to execute arbitrary code using specially crafted RTF data. This can be used to steal credentials, as the GLPI administrator can define rich-text content to be displayed on the login page, which can contain malicious code.

Recommendations For versions prior to 10.0.4, upgrade to version 10.0.4 to resolve the issue. As a temporary workaround, consider restricting the ability to define rich-text content on the login page until the patch is applied.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-83CWE-79

Related Identifiers

ALT-PU-2022-2614

ALT-PU-2022-2624

ALT-PU-2022-2665

ALT-PU-2022-3008

ALT-PU-2022-3078

ALT-PU-2022-3274

ALT-PU-2023-7633

ALT-PU-2024-8030

ALT-PU-2024-8094

BDU:2024-05808

CVE-2022-39262

GHSA-4X48-Q2WR-CPG4

Affected Products

Alt Linux

Glpi

Red Os

CVE-2022-39262

Weakness Enumeration

Related Identifiers

Affected Products

References · 21