CVE-2022-39277 is a medium-severity vulnerability affecting the GLPI (Gestionnaire Libre de Parc Informatique) software, an open-source IT asset and service management tool widely used for ITIL service desk functions, license tracking, and software auditing. The vulnerability arises from improper neutralization of input during web page generation, specifically related to external links that are not properly sanitized. This flaw allows an attacker to inject malicious scripts into web pages viewed by other users, constituting a Cross-Site Scripting (XSS) attack (CWE-79 and CWE-80). The vulnerability affects all GLPI versions starting from 0.60 up to, but not including, version 10.0.4. The issue was publicly disclosed on November 3, 2022, and has been patched in GLPI 10.0.4. No known exploits are currently reported in the wild, and no workarounds exist aside from upgrading. The vulnerability does not require authentication to be exploited if the attacker can trick a user into clicking a crafted external link or visiting a maliciously crafted page that interacts with the vulnerable GLPI instance. The impact of this vulnerability primarily concerns the confidentiality and integrity of user sessions and data, as malicious scripts can steal session cookies, perform actions on behalf of users, or manipulate displayed content. Availability is less directly impacted. The vulnerability scope includes all GLPI installations running affected versions, which are often deployed in enterprise IT environments for asset and service management.

For European organizations, the impact of this XSS vulnerability can be significant, especially for those relying on GLPI for critical IT asset management and service desk operations. Successful exploitation could lead to session hijacking, unauthorized actions within the GLPI interface, and potential data leakage or manipulation. This could disrupt IT service management workflows, compromise sensitive asset and license information, and erode trust in IT operational integrity. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face compliance risks if sensitive data is exposed. Although no active exploits are known, the widespread use of GLPI in Europe means that attackers could target these organizations through phishing or social engineering to deliver malicious links. The vulnerability also poses a risk to supply chain security, as compromised GLPI instances could be used as pivot points for broader network attacks. The overall impact is medium but could escalate if combined with other vulnerabilities or social engineering tactics.

The primary and most effective mitigation is to upgrade all GLPI instances to version 10.0.4 or later, where the vulnerability has been patched. Organizations should prioritize this upgrade in their patch management cycles. In addition, administrators should implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the GLPI web interface. Input validation and output encoding should be reviewed and enhanced where possible, especially for any custom plugins or integrations that interact with external links. User awareness training should emphasize caution when clicking on links within GLPI or related communications. Network-level protections such as Web Application Firewalls (WAFs) can be configured to detect and block common XSS payloads targeting GLPI. Logging and monitoring should be enhanced to detect unusual user activity or script injection attempts. Finally, organizations should conduct regular security assessments of their GLPI deployments to identify any residual or related vulnerabilities.