You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cedric-anne
published
GHSA-4xfc-4v58-wjhhApr 14, 2021
Package
No package listed
Affected versions
< 9.5.5
Patched versions
9.5.5
Description
Impact
Plugins editors can embed malicious code in plugins metadata (name, authors, description, ...). This code will be executed when displaying corresponding plugin informations on GLPI plugins management pages (i.e marketplace and plugins list).
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Learn more on MITRE.
n3k00n3 Analyst
Impact
Plugins editors can embed malicious code in plugins metadata (name, authors, description, ...). This code will be executed when displaying corresponding plugin informations on GLPI plugins management pages (i.e marketplace and plugins list).
Patches
fixed in 9.5.5
Reference
https://github.com/Kitsun3Sec/exploits/tree/master/cms/GLPI/GLPI-stored-XSS
https://n3k00n3.github.io/blog/09042021/glpi_xss.html