CVE-2022-24868

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 10.0.0

Description The issue is related to a lack of sanitization on SVG file uploads, allowing an attacker to inject javascript into a user's avatar. This can lead to a cross-site scripting attack when any user views the avatar. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. The vulnerability can be exploited by uploading a specially crafted SVG file, which allows the attacker to conduct a cross-site scripting attack. Technical details about exploitation include the lack of sanitization on SVG file uploads and the ability to inject javascript into the user avatar.

Recommendations For versions prior to 10.0.0, users are advised to upgrade to a newer version. As a temporary workaround, users unable to upgrade should disallow SVG avatars to minimize the risk of exploitation.