PT-2018-18158 · Teclib+1 · Glpi+1
Trasher
·
Published
2018-03-12
·
Updated
2019-01-26
·
CVE-2018-7563
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
GLPI versions prior to 9.2.2
Description
The issue affects the application, allowing for XSS in the query string to "front/preference.php". An attacker can create a malicious URL that, if opened by an authenticated user with debug privilege, will execute JavaScript code supplied by the attacker. This can lead to actions such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Recommendations
For GLPI versions prior to 9.2.2, update to version 9.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "front/preference.php" endpoint for users with debug privilege until a patch is applied. Avoid using the application with debug privilege enabled on untrusted networks until the issue is resolved.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Glpi