Primary

Context

GFI HelpDesk Stored Cross-Site Scripting Vulnerability in Troubleshooter Module

Vulnerability

A stored cross-site scripting vulnerability has been identified in GFI HelpDesk versions prior to 4.99.9. The issue resides in the Troubleshooter module, where the subject POST parameter is not properly sanitized before being displayed. This vulnerability allows an authenticated staff member to inject arbitrary JavaScript into the step subject field. The injected script executes when any user accesses the Troubleshooter > View Troubleshooter section and clicks on the affected step link.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected step.

Remediation

Users are advised to upgrade to GFI HelpDesk version 4.99.9 or later, where this vulnerability has been addressed. The latest version can be downloaded from the GFI Upgrade Center.

Added: Apr 20, 2026, 6:34 PM

Updated: Apr 20, 2026, 6:34 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GFI HelpDesk Stored Cross-Site Scripting Vulnerability in Troubleshooter Module

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating