CVE-2022-35945

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-35945

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35945.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-35945

Aliases

GHSA-jrgw-cx24-56x5

Downstream

UBUNTU-CVE-2022-35945

Published

2022-09-14T17:45:12Z

Modified

2025-11-04T20:02:59.536394Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Cross site scripting (XSS) via registration API in GLPI

Details

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Information associated to registration key are not properly escaped in registration key configuration page. They can be used to steal a GLPI administrator cookie. Users are advised to upgrade to 10.0.3. There are no known workarounds for this issue. ### Workarounds Do not use a registration key created by an untrusted person.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

9fa6de558a9987561b80afd57a796a3fa19deee6

Fixed

5db9ca9f678989560bcc7b46d4a89c241f25af01

Affected versions

10.*

10.0.0

10.0.0-beta

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.0.1

10.0.2

9.*

9.5.0

9.5.1

9.5.2

9.5.3

9.5.4

9.5.5

9.5.6

9.5.7