CVE-2024-43417: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-43417. The vulnerability was discovered and disclosed on November 15, 2024, affecting GLPI versions from 10.0.0 up to (excluding) 10.0.17. This security flaw allows an unauthenticated user to provide a malicious link to a GLPI technician that can be exploited through the Software form (NIST NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. GitHub has assigned a slightly different score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NIST NVD).

The exploitation of this vulnerability could lead to unauthorized access to sensitive information and potential execution of malicious scripts in the context of the GLPI technician's browser session. The vulnerability primarily affects the confidentiality of the system, with high potential impact on data confidentiality but no direct impact on system integrity or availability (GitHub Advisory).

The recommended mitigation is to upgrade to GLPI version 10.0.17 or later, which contains the security patch for this vulnerability (GitHub Advisory).