CVE-2024-41678: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability (CVE-2024-41678) allows an unauthenticated user to provide a malicious link to a GLPI technician that can be exploited. This security issue affects GLPI versions from 0.50 up to versions prior to 10.0.17 (GITHUB ADVISORY, NVD).

The vulnerability is classified as a reflected XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 6.1 (Medium) from NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, while GitHub assessed it at 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability requires user interaction and can be exploited remotely through network access (NVD).

The exploitation of this vulnerability could lead to unauthorized access to sensitive information through cross-site scripting attacks. The CVSS scoring indicates potential for high confidentiality impact when successfully exploited, though integrity and availability impacts are not indicated (GITHUB ADVISORY).

The recommended mitigation is to upgrade to GLPI version 10.0.17 or later, which contains the security fix for this vulnerability (GITHUB ADVISORY).