CVE-2023-28852

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-28852
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28852.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-28852
Aliases
  • GHSA-65gq-p8hg-7m92
Downstream
Published
2023-04-05T17:45:30.721Z
Modified
2025-12-04T23:46:14.854961Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
GLPI vulnerable to stored Cross-site Scripting through dashboard administration
Details

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28852.json"
}
References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type
GIT
Repo
https://github.com/glpi-project/glpi
Events
Introduced
9fa6de558a9987561b80afd57a796a3fa19deee6
Fixed
d110d2b6976208ca2cac0747cab92781b45475a7
Database specific 
{
    "versions": [
        {
            "introduced": "9.5.0"
        },
        {
            "fixed": "9.5.13"
        }
    ]
}
Type
GIT
Repo
https://github.com/glpi-project/glpi
Events
Introduced
815997021a5df4feb7077a12f6f52769e9bd3459
Fixed
bce21331d50a020cd0928178a68fe4aac2cc50b4
Database specific 
{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.0.7"
        }
    ]
}

Affected versions

10.*

10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6

9.*

9.5.0
9.5.1
9.5.10
9.5.11
9.5.12
9.5.2
9.5.3
9.5.4
9.5.5
9.5.6
9.5.7
9.5.8
9.5.9