CVE-2022-24869 is a medium-severity cross-site scripting (XSS) vulnerability affecting the GLPI software, an open-source IT asset and service management platform widely used for ITIL service desk operations, license tracking, and software auditing. The vulnerability exists in versions from 0.90 up to, but not including, 10.0.0. It arises due to improper neutralization of input during web page generation (CWE-79), specifically in the handling of ticket follow-ups and login messages where a stylesheet link can be injected. This flaw allows an attacker to inject malicious scripts into web pages viewed by other users. Although modern browsers partially mitigate the risk through Cross-Origin Resource Sharing (CORS) policies, the vulnerability still poses a risk of executing unauthorized scripts in the context of authenticated users. Exploitation does not require authentication or user interaction beyond viewing the affected pages, increasing the attack surface. No known exploits have been reported in the wild to date, but the presence of this vulnerability in a widely deployed IT management tool makes it a potential target for attackers aiming to compromise confidentiality, integrity, or availability of organizational IT services.

For European organizations utilizing GLPI versions prior to 10.0.0, this vulnerability could lead to unauthorized script execution within the context of the GLPI web application. Potential impacts include session hijacking, credential theft, unauthorized actions performed on behalf of legitimate users, and the injection of malicious payloads that could pivot to further internal network compromise. Given GLPI's role in managing IT assets and service desks, exploitation could disrupt IT operations, leak sensitive asset management data, or facilitate lateral movement within networks. The partial mitigation by browser CORS policies reduces but does not eliminate risk, especially in environments where users may use outdated browsers or where CORS policies are misconfigured. The vulnerability's medium severity reflects a moderate risk that could escalate if combined with other vulnerabilities or social engineering attacks. Organizations in sectors with high regulatory requirements for data protection, such as finance, healthcare, and government, may face compliance risks if this vulnerability is exploited.

1. Immediate upgrade to GLPI version 10.0.0 or later, where this vulnerability has been addressed, is the most effective mitigation. 2. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 3. Review and sanitize all user inputs related to ticket follow-ups and login messages, ensuring that any HTML or stylesheet links are properly validated and escaped. 4. Conduct regular security audits and penetration testing focused on web application vulnerabilities within GLPI deployments. 5. Educate users on the risks of clicking unknown links or executing scripts within the GLPI interface. 6. Monitor web server and application logs for unusual activity that may indicate attempted exploitation. 7. If upgrading immediately is not feasible, consider isolating GLPI instances behind strict network controls and limiting access to trusted users only. 8. Ensure browsers used to access GLPI are up to date to benefit from the latest CORS and security features.