CVE-2024-11955: 
GLPI vulnerability analysis and mitigation

GLPI versions up to 10.0.17 contain an open redirection vulnerability in the index.php file. The vulnerability was discovered and disclosed on February 25, 2025, and affects the web application's URL redirection functionality. This moderate severity issue has been assigned CVE-2024-11955 and was addressed in GLPI version 10.0.18 (GitHub Advisory).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) and received a CVSS v3.1 base score of 6.5. The attack vector is network-based with low complexity, requires no privileges but does need user interaction. The vulnerability exists in the redirect parameter of the index.php file, where the application accepts user-controlled input that specifies a link to an external site and uses that link in a redirect operation (GitHub Advisory, VulDB).

The vulnerability allows an unauthenticated attacker to create malicious links that can be used in phishing attacks. When exploited, it affects the integrity of the system by potentially redirecting users to malicious websites. The vulnerability has a high impact on confidentiality but does not affect system availability (GitHub Advisory).

The vulnerability has been patched in GLPI version 10.0.18. Users are strongly recommended to upgrade to this version to mitigate the security risk. The update is available for download through the official GitHub repository (GitHub Release).