CVE-2023-28639: 
GLPI vulnerability analysis and mitigation

CVE-2023-28639 affects GLPI, a free asset and IT management software package. The vulnerability was discovered in version 0.85 and affects all versions prior to 9.5.13 and 10.0.7. The issue was disclosed on April 5, 2023, and allows an unauthenticated user to craft a malicious link that can exploit a reflected XSS vulnerability when accessed by authenticated users (NVD, GitHub Advisory).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network vector access, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

When exploited, the vulnerability allows an attacker to execute malicious scripts in the context of an authenticated user's browser session when they access a specially crafted link. This can lead to unauthorized access to sensitive information and potential session hijacking (GitHub Advisory).

The vulnerability has been fixed in GLPI versions 9.5.13 and 10.0.7. Users are strongly recommended to upgrade to these patched versions to protect against this security issue (GitHub Release 9.5.13, GitHub Release 10.0.7).