Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stored XSS and CSRF exploit #2483

Closed
orthagh opened this issue Jul 19, 2017 · 5 comments
Closed

Stored XSS and CSRF exploit #2483

orthagh opened this issue Jul 19, 2017 · 5 comments
Labels
security

Comments

@orthagh
Copy link
Contributor

orthagh commented Jul 19, 2017
edited

Related CVE:

Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows
remote authenticated attackers to submit a request which could lead to
the creation of an admin account in the application.

Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote
authenticated attackers to inject arbitrary web script or HTML by
attaching a crafted HTML file to a ticket.

Thanks to Eric Carter (CS)

Should be already fixed by fc93633
@orthagh orthagh closed this as completed Jul 19, 2017
@ShellInjector
Copy link

ShellInjector commented Jul 19, 2017
edited by orthagh

Message saved

@orthagh
Copy link
Contributor Author

orthagh commented Jul 20, 2017
edited

@ShellInjector.

Please don't disclose security issues and send them to contact mail.
Also, use a separate issue (with CVE)

@ShellInjector
Copy link

@orthagh , OK .Thanks

@orthagh
Copy link
Contributor Author

orthagh commented Jul 20, 2017

@ShellInjector see #2493

@ShellInjector
Copy link

I see Mr @orthagh .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@orthagh @ShellInjector