CVE-2018-7563

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 9.2.2

Description The issue affects the application, allowing for XSS in the query string to "front/preference.php". An attacker can create a malicious URL that, if opened by an authenticated user with debug privilege, will execute JavaScript code supplied by the attacker. This can lead to actions such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Recommendations For GLPI versions prior to 9.2.2, update to version 9.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "front/preference.php" endpoint for users with debug privilege until a patch is applied. Avoid using the application with debug privilege enabled on untrusted networks until the issue is resolved.