CVE-2023-22724: 
GLPI vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in GLPI versions prior to 10.0.6, identified as CVE-2023-22724. The vulnerability was disclosed on January 24, 2023, affecting the RSS feed functionality where malicious RSS feeds could be imported by administrators (GHSA Advisory, NVD).

The vulnerability stems from improper sanitization of RSS feed contents and links. When an administrator imports RSS feeds through personal or public feed channels, the lack of proper input validation could allow execution of malicious scripts. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating network attack vector, high attack complexity, no privileges required, and user interaction required (GHSA Advisory).

The vulnerability could allow attackers to execute arbitrary web scripts through malicious RSS feeds. Any user who has subscribed to a compromised RSS feed, whether through personal or public RSS feeds, could become a victim of an XSS attack. The impact primarily affects data confidentiality, with no direct impact on system integrity or availability (GHSA Advisory).

The vulnerability has been patched in GLPI version 10.0.6. Users are advised to upgrade to this version or later to protect against this security issue. No alternative workarounds have been published (GHSA Advisory).