CVE-2026-23752

medium

Description

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inject malicious scripts through the companyname field that execute in the browsers of any administrator viewing the Templates > Groups page.

References

https://www.vulncheck.com/advisories/gfi-helpdesk-stored-xss-via-companyname-parameter

https://gfi.ai/products-and-solutions/email-and-messaging-solutions/helpdesk/resources/product-releases

Details

Source: Mitre, NVD

Published: 2026-04-20

Updated: 2026-04-20

Risk Information

CVSS v2

Base Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.8

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 4.8

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Severity: Medium