- Stored XSS in the comments of items in the Knowledge base. Just add a comment like
<script>alert(1);</script>.
- Self XSS via the User-Agent for administrators:
|
echo "\t" . $_SERVER["HTTP_USER_AGENT"] . "\n"; |
. Triggered in Setup -> General -> System. Quite useless if not chained with other vulnerabilities.
- Stored XSS :
- Create a user with the surname
" onmouseover="alert(document.cookie) and an empty first name.
- With this user, create a ticket
- As an administrator (or other privileged user) open the created ticket
- On the "last update" field, put your mouse on the name of the user
- The XSS fires
This is difficult to tell exactly whoch versions are affected; but tha change in the Config class has been done for GLPI 0.78; we can consider all versions can be affected.
Patches
Fixed in:
Reference
https://offsec.almond.consulting/multiple-vulnerabilities-in-glpi.html
For more information
If you have any questions or comments about this advisory:
<script>alert(1);</script>.glpi/inc/config.class.php
Line 1836 in 7093bde
" onmouseover="alert(document.cookie)and an empty first name.This is difficult to tell exactly whoch versions are affected; but tha change in the Config class has been done for GLPI 0.78; we can consider all versions can be affected.
Patches
Fixed in:
Reference
https://offsec.almond.consulting/multiple-vulnerabilities-in-glpi.html
For more information
If you have any questions or comments about this advisory: