CVE-2022-39181: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GLPI Reports plugin for GLPI
GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS). Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or emailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.
AI Analysis
Technical Summary
CVE-2022-39181 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Reports plugin for GLPI, an open-source IT asset management and service desk software. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), where user-supplied data from HTTP requests is directly reflected in HTTP responses without adequate sanitization or encoding. Specifically, the Reports plugin fails to properly validate or encode parameters that are echoed back to the user's browser, allowing an attacker to craft malicious URLs containing executable scripts. When a victim clicks such a URL, the malicious script executes in the context of the vulnerable GLPI web application, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. This is a Type 1 Reflected XSS, meaning the malicious payload is non-persistent and delivered via a crafted URL, often used in phishing campaigns to trick users into visiting the malicious link. The vulnerability affects all versions of the Reports plugin for GLPI as of the published date (November 17, 2022). The CVSS v3.1 base score is 6.1 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects components beyond the vulnerable component itself. The impact metrics indicate low confidentiality and integrity impact (C:L, I:L) and no impact on availability (A:N). No known exploits in the wild have been reported to date, and no official patches have been linked, suggesting that mitigation may rely on configuration or manual code review until an update is released.
Potential Impact
For European organizations using GLPI with the Reports plugin, this vulnerability poses a moderate risk primarily to confidentiality and integrity of user sessions and data. Attackers could exploit this flaw to execute arbitrary JavaScript in the context of the GLPI web application, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions within the application. This could lead to unauthorized access to sensitive IT asset data, service desk tickets, or internal reports. While availability is not directly impacted, the compromise of user credentials or session tokens could facilitate further attacks or lateral movement within an organization's network. The risk is heightened in environments where GLPI is exposed to the internet or accessible by a large user base, increasing the likelihood of successful phishing campaigns leveraging this reflected XSS. Given the widespread use of GLPI in European public sector entities, educational institutions, and enterprises for IT service management, exploitation could disrupt critical IT operations and data confidentiality. However, the requirement for user interaction (clicking a malicious link) somewhat limits the attack surface to social engineering scenarios.
Mitigation Recommendations
1. Immediate mitigation should include educating users about the risks of clicking unsolicited or suspicious links, especially those purporting to be related to GLPI reports. 2. Implement web application firewall (WAF) rules to detect and block common XSS payload patterns targeting the Reports plugin endpoints. 3. Restrict access to the GLPI Reports plugin interface to trusted internal networks or VPN users to reduce exposure. 4. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of reflected XSS attacks. 5. Monitor web server and application logs for unusual URL parameters or repeated suspicious requests indicative of attempted exploitation. 6. Until an official patch is available, consider code-level review and manual sanitization of input parameters in the Reports plugin source code, applying proper output encoding for all reflected inputs. 7. Regularly check for updates from the GLPI project and apply security patches promptly once released. 8. Use multi-factor authentication (MFA) for GLPI user accounts to mitigate the risk of session hijacking resulting from XSS exploitation.
Affected Countries
France, Germany, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Finland
CVE-2022-39181: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GLPI Reports plugin for GLPI
Description
GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS). Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or emailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.
AI-Powered Analysis
Technical Analysis
CVE-2022-39181 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Reports plugin for GLPI, an open-source IT asset management and service desk software. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), where user-supplied data from HTTP requests is directly reflected in HTTP responses without adequate sanitization or encoding. Specifically, the Reports plugin fails to properly validate or encode parameters that are echoed back to the user's browser, allowing an attacker to craft malicious URLs containing executable scripts. When a victim clicks such a URL, the malicious script executes in the context of the vulnerable GLPI web application, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. This is a Type 1 Reflected XSS, meaning the malicious payload is non-persistent and delivered via a crafted URL, often used in phishing campaigns to trick users into visiting the malicious link. The vulnerability affects all versions of the Reports plugin for GLPI as of the published date (November 17, 2022). The CVSS v3.1 base score is 6.1 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects components beyond the vulnerable component itself. The impact metrics indicate low confidentiality and integrity impact (C:L, I:L) and no impact on availability (A:N). No known exploits in the wild have been reported to date, and no official patches have been linked, suggesting that mitigation may rely on configuration or manual code review until an update is released.
Potential Impact
For European organizations using GLPI with the Reports plugin, this vulnerability poses a moderate risk primarily to confidentiality and integrity of user sessions and data. Attackers could exploit this flaw to execute arbitrary JavaScript in the context of the GLPI web application, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions within the application. This could lead to unauthorized access to sensitive IT asset data, service desk tickets, or internal reports. While availability is not directly impacted, the compromise of user credentials or session tokens could facilitate further attacks or lateral movement within an organization's network. The risk is heightened in environments where GLPI is exposed to the internet or accessible by a large user base, increasing the likelihood of successful phishing campaigns leveraging this reflected XSS. Given the widespread use of GLPI in European public sector entities, educational institutions, and enterprises for IT service management, exploitation could disrupt critical IT operations and data confidentiality. However, the requirement for user interaction (clicking a malicious link) somewhat limits the attack surface to social engineering scenarios.
Mitigation Recommendations
1. Immediate mitigation should include educating users about the risks of clicking unsolicited or suspicious links, especially those purporting to be related to GLPI reports. 2. Implement web application firewall (WAF) rules to detect and block common XSS payload patterns targeting the Reports plugin endpoints. 3. Restrict access to the GLPI Reports plugin interface to trusted internal networks or VPN users to reduce exposure. 4. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of reflected XSS attacks. 5. Monitor web server and application logs for unusual URL parameters or repeated suspicious requests indicative of attempted exploitation. 6. Until an official patch is available, consider code-level review and manual sanitization of input parameters in the Reports plugin source code, applying proper output encoding for all reflected inputs. 7. Regularly check for updates from the GLPI project and apply security patches promptly once released. 8. Use multi-factor authentication (MFA) for GLPI user accounts to mitigate the risk of session hijacking resulting from XSS exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- INCD
- Date Reserved
- 2022-09-02T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983cc4522896dcbee814
Added to database: 5/21/2025, 9:09:16 AM
Last enriched: 6/25/2025, 2:50:28 AM
Last updated: 7/31/2025, 1:54:04 AM
Views: 13
Related Threats
CVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9087: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.