Impact

One can exploit a XSS to redict the user by uploading a malicious svg on user's avatar

Patches

Workarounds

Do not expose the files folder to the web.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

mail us at glpi-security@ow2.org