CVE-2022-24876 is a cross-site scripting (XSS) vulnerability identified in the GLPI project management and IT asset management software, specifically affecting versions prior to 10.0.1. GLPI is widely used for ITIL service desk functions, license tracking, and software auditing. The vulnerability resides in the Kanban view feature, which displays projects, tickets, changes, or problems on a task board. An attacker can exploit this vulnerability by injecting malicious HTML or JavaScript code into the user name field. Because the application improperly neutralizes input during web page generation (CWE-79), the injected code is executed in the context of other users viewing the Kanban board. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The vulnerability does not require prior authentication to inject the payload, but exploitation depends on the victim accessing the affected Kanban view where the malicious user name is displayed. There are no known workarounds, and the vendor recommends upgrading to version 10.0.1 or later where the issue is fixed. No public exploits have been reported in the wild as of the publication date, but the nature of XSS vulnerabilities makes them a persistent risk, especially in environments with multiple users and sensitive data.

For European organizations using GLPI versions prior to 10.0.1, this vulnerability poses a moderate risk to confidentiality and integrity. Attackers could execute arbitrary scripts in the browsers of users who view the Kanban board, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions within GLPI. This could lead to unauthorized access to sensitive IT asset information, service desk tickets, or license data. While the vulnerability does not directly impact system availability, successful exploitation could facilitate further attacks or data breaches. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance risks and reputational damage if exploited. The risk is heightened in environments where GLPI is accessible to multiple users with varying privilege levels, especially if user input is not otherwise sanitized or monitored.

The primary mitigation is to upgrade GLPI installations to version 10.0.1 or later, where the vulnerability is patched. Organizations should prioritize this upgrade in their patch management cycles. In the interim, administrators should restrict access to the Kanban view to trusted users only and monitor user name inputs for suspicious or malformed content. Implementing web application firewalls (WAFs) with custom rules to detect and block common XSS payloads targeting the Kanban interface can provide additional protection. Logging and alerting on unusual user name changes or injection attempts can help detect exploitation attempts early. Security teams should educate users about the risks of clicking on suspicious links or interacting with untrusted content within GLPI. Finally, regular security assessments and code reviews of custom GLPI plugins or integrations should be conducted to ensure no additional injection vectors exist.