Primary

Context

GFI HelpDesk Stored Cross-Site Scripting Vulnerability in Reports Module

Vulnerability

A stored cross-site scripting vulnerability has been identified in GFI HelpDesk versions prior to 4.99.10. The issue arises in the Reports module, where the title parameter is sent directly to the SWIFT_Report::Create() function without proper HTML sanitization. This allows attackers to inject arbitrary JavaScript into the report title field during the creation or editing of a report. The injected script executes when staff members view and click on the affected report link in the Manage Reports interface.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the report.

Remediation

Users are advised to upgrade to GFI HelpDesk version 4.99.10 or later, where this vulnerability has been addressed. The new version can be downloaded from the GFI Upgrade Center.

Added: Apr 20, 2026, 6:32 PM

Updated: Apr 20, 2026, 6:32 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

6.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GFI HelpDesk Stored Cross-Site Scripting Vulnerability in Reports Module

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating