CVE-2022-39375 is a medium-severity cross-site scripting (XSS) vulnerability identified in the GLPI (Gestionnaire Libre de Parc Informatique) software, an open-source IT asset and service management platform widely used for ITIL service desk operations, license tracking, and software auditing. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), specifically allowing authenticated users to create a public RSS feed that can inject malicious scripts into the dashboards of other users. This flaw enables an attacker to execute arbitrary JavaScript code in the context of the victim's browser session when they view the compromised dashboard. The vulnerability affects GLPI versions from 0.84 up to, but not including, version 10.0.4, where the issue has been patched. There are currently no known exploits in the wild, and no workarounds exist aside from upgrading to the fixed version. The attack vector requires an authenticated user to create the malicious RSS feed, but no additional user interaction is necessary for the victim once the malicious content is displayed on their dashboard. The impact includes potential session hijacking, credential theft, unauthorized actions on behalf of the victim, and possible further compromise of the GLPI environment or connected systems through the victim's browser. Given GLPI's role in managing critical IT assets and services, exploitation could lead to significant operational disruptions or data breaches within affected organizations.

For European organizations, the exploitation of this vulnerability could lead to unauthorized access to sensitive IT management data, disruption of IT service management workflows, and potential lateral movement within corporate networks. Since GLPI is often used to track licenses, manage hardware and software inventories, and provide service desk functionalities, attackers leveraging this XSS flaw could manipulate or exfiltrate critical asset information, interfere with incident response processes, or impersonate legitimate users to escalate privileges. The compromise of GLPI dashboards may also undermine trust in IT service management processes, potentially delaying remediation of other security incidents. Organizations in sectors with stringent regulatory requirements (e.g., finance, healthcare, government) may face compliance risks if sensitive data is exposed or manipulated. Additionally, the lack of known exploits currently does not preclude future targeted attacks, especially as threat actors often weaponize such vulnerabilities once public disclosures become widespread.

The primary and most effective mitigation is to upgrade GLPI installations to version 10.0.4 or later, where the vulnerability has been patched. Organizations should prioritize this upgrade in their patch management cycles. Beyond upgrading, administrators should enforce strict access controls to limit who can create or modify public RSS feeds, ideally restricting this capability to trusted users only. Implementing Content Security Policy (CSP) headers can help mitigate the impact of any residual or undiscovered XSS vectors by restricting the execution of unauthorized scripts. Regularly auditing user-generated content and monitoring dashboards for unusual or unexpected script injections can provide early detection of exploitation attempts. Additionally, organizations should educate users about the risks of XSS and encourage cautious behavior when interacting with dashboards or feeds. Network segmentation and the use of web application firewalls (WAFs) configured to detect and block XSS payloads can provide additional layers of defense. Finally, integrating GLPI security monitoring with broader SIEM solutions can help correlate suspicious activities and enable rapid incident response.