CVE-2024-23645: 
GLPI vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in GLPI, a Free Asset and IT Management Software package, identified as CVE-2024-23645. The vulnerability was disclosed on February 1, 2024, affecting GLPI versions prior to 10.0.12. The issue allows attackers to execute XSS attacks on reports pages through malicious URLs (GLPI Advisory, Ubuntu).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, User interaction Required, Changed scope, Low confidentiality impact, and Low integrity impact, with no availability impact. The vulnerability exists in the reports pages where special characters in URLs were not properly encoded, potentially allowing for XSS execution (GLPI Advisory).

If exploited, this vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers when they access specifically crafted URLs on the reports pages. This could potentially lead to unauthorized access to sensitive information and compromise of user sessions (GLPI Advisory).

The vulnerability has been fixed in GLPI version 10.0.12. Users are recommended to upgrade to this version. As a temporary workaround, administrators can remove read rights on reports for all profiles (GLPI Release, GLPI Advisory).