CVE-2025-27514 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the GLPI software, versions 9.5.0 through 10.0.18. GLPI is an open-source IT asset and service management platform widely used for data center management, ITIL service desks, license tracking, and software auditing. The vulnerability arises from improper neutralization of script-related HTML tags (CWE-80 and CWE-79) in the project kanban feature, which allows a technician-level user to inject malicious scripts that are persistently stored and later executed in the context of other users viewing the kanban board. The CVSS 3.1 base score is 4.5, reflecting a medium severity with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), and user interaction (UI:R). The impact is primarily on confidentiality, as the vulnerability allows an attacker to execute scripts that could steal session tokens or sensitive information from other users. Integrity and availability impacts are not indicated. The vulnerability was fixed in GLPI version 10.0.19. No known exploits are currently reported in the wild. The flaw specifically affects authenticated users with technician privileges who can inject malicious payloads into the kanban project interface, which then execute when other users access the affected page. This vulnerability underscores the importance of proper input validation and output encoding in web applications, especially in collaborative tools where stored XSS can lead to widespread compromise.

For European organizations using GLPI for IT asset and service management, this vulnerability poses a risk of session hijacking, credential theft, or unauthorized data exposure via stored XSS attacks. Since the vulnerability requires a technician-level user to inject the payload, insider threats or compromised technician accounts could be leveraged by attackers. The confidentiality of sensitive IT management data, including asset inventories, license information, and service desk tickets, could be compromised. This could lead to further lateral movement within the organization or data leakage. Given GLPI's role in managing critical IT infrastructure, exploitation could undermine trust in IT operations and potentially disrupt service management workflows. The lack of impact on integrity and availability reduces the risk of direct service disruption but does not eliminate the risk of indirect operational impacts due to compromised credentials or data exposure. European organizations with strict data protection regulations (e.g., GDPR) must consider the compliance implications of such data breaches.

1. Immediate upgrade to GLPI version 10.0.19 or later, where the vulnerability is patched, is the most effective mitigation. 2. Restrict technician-level privileges to trusted personnel only and enforce strong authentication and monitoring of these accounts to reduce the risk of insider threats or account compromise. 3. Implement web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting GLPI interfaces. 4. Conduct regular security audits and code reviews focusing on input validation and output encoding in custom plugins or integrations with GLPI. 5. Educate users, especially technicians, about the risks of injecting untrusted content and the importance of secure coding practices. 6. Monitor GLPI logs for unusual activity related to project kanban modifications or unexpected script injections. 7. If immediate upgrade is not feasible, consider disabling or restricting access to the project kanban feature temporarily to limit exposure.