CVE-2025-27514
BaseFortify
Publication date: 2025-07-29
Last updated on: 2025-08-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi-project | glpi | From 9.5.0 (inc) to 10.0.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-27514 is a stored Cross-Site Scripting (XSS) vulnerability in the GLPI project management software's kanban feature. A technician with high privileges can inject malicious script code that is stored and later executed when the kanban interface is viewed. This happens because the software fails to properly sanitize or neutralize special characters in the input, allowing scripts to run in users' browsers. [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information (high confidentiality impact) because the injected scripts can execute in the context of the user's browser. However, it does not affect data integrity or availability. Exploitation requires a user with high privileges to inject the payload and some user interaction to trigger the script execution. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve checking if your GLPI installation is running a vulnerable version (9.5.0 through 10.0.18). You can verify the GLPI version by running commands like `glpi/bin/console glpi:version` or checking the version file in the installation directory. Additionally, monitoring for suspicious input or stored scripts in the projects kanban interface may help identify exploitation attempts. There are no specific commands provided in the resources for detecting the stored XSS payload itself. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade GLPI to version 10.0.19 or later, which contains the patch that properly neutralizes malicious input and prevents the stored XSS attack. Until the upgrade is applied, restrict technician privileges to trusted users only and monitor for suspicious activity on the projects kanban feature. [2]