CVE-2024-45611

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 10.0.17

Description The issue is related to the lack of protection of the web page structure in GLPI, allowing for a remote attacker to conduct a cross-site scripting (XSS) attack. An authenticated user can bypass access control policies to create a private RSS feed attached to another user's account and use a malicious payload to trigger a stored XSS.

Recommendations For versions prior to 10.0.17, upgrade to version 10.0.17 to resolve the issue. As a temporary workaround, consider restricting access to the RSS feed feature to minimize the risk of exploitation. Additionally, restrict the ability of authenticated users to attach malicious payloads to other user accounts.