CVE-2022-24868 is a medium-severity cross-site scripting (XSS) vulnerability affecting versions of the GLPI (Gestionnaire Libre de Parc Informatique) IT asset and service management software prior to 10.0.0. GLPI is widely used for ITIL service desk functionalities, license tracking, and software auditing. The vulnerability arises from improper sanitization of SVG file uploads used as user avatars. Specifically, the application fails to neutralize malicious JavaScript embedded within SVG files, allowing an attacker to inject script code into the avatar image. When any user views the compromised avatar, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions within the GLPI interface. Exploitation does not require elevated privileges beyond the ability to upload or change an avatar image, which may be restricted to authenticated users depending on the deployment. No known public exploits have been reported in the wild, but the vulnerability presents a significant risk due to the ease of injecting malicious content and the potential for widespread impact on users viewing affected avatars. The vulnerability is categorized under CWE-79, highlighting improper input neutralization during web page generation. Mitigation primarily involves upgrading GLPI to version 10.0.0 or later, where proper sanitization is implemented. For users unable to upgrade promptly, disabling SVG avatars is recommended to prevent exploitation. This vulnerability underscores the importance of rigorous input validation and output encoding for user-supplied content, especially in web applications handling file uploads and user-generated content.

For European organizations using GLPI versions prior to 10.0.0, this vulnerability could lead to significant security risks including unauthorized access to sensitive IT asset data, service desk tickets, and potentially broader network access if attackers leverage stolen credentials or session tokens. The XSS flaw can facilitate phishing attacks within the GLPI interface, spread malware, or allow attackers to manipulate service desk operations, disrupting IT support workflows. Confidentiality is at risk due to possible data leakage, integrity can be compromised by unauthorized modifications, and availability may be indirectly affected if attackers disrupt service desk functions. Given GLPI's role in IT management, exploitation could cascade into wider organizational impacts, particularly in sectors with critical infrastructure or regulated environments. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target widely used open-source tools. Organizations with multiple GLPI users are at higher risk due to the potential for lateral attack propagation through user interactions.

1. Upgrade GLPI installations to version 10.0.0 or later, where the vulnerability is patched with proper SVG sanitization. 2. If upgrading is not immediately feasible, disable the use of SVG files as user avatars to prevent malicious SVG uploads. 3. Implement strict access controls on avatar upload functionality to limit it to trusted users only. 4. Employ web application firewalls (WAFs) with rules to detect and block malicious SVG payloads or suspicious script patterns in file uploads. 5. Conduct regular security audits and penetration testing focused on file upload and user-generated content features. 6. Educate users and administrators about the risks of XSS and encourage vigilance when interacting with user avatars or other dynamic content. 7. Monitor GLPI logs for unusual avatar upload activity or unexpected script execution errors. 8. Consider deploying Content Security Policy (CSP) headers to restrict script execution sources within the GLPI web interface, mitigating impact if exploitation occurs.