CVE-2019-1010310

Name of the Vulnerable Software and Affected Versions: GLPI version 9.3.1

Description: The issue allows admins to phish users by injecting frame and form tags into reminder descriptions. This can lead to admins phishing any user or group of users for sensitive information such as credentials or credit card details. The component vulnerable to this issue is the description field in Tools > Reminder. An attacker can put a login form in this field, and when a user fills it out and submits, the request is sent to the attacker's domain, allowing the attacker to save the user's data.

Recommendations: For GLPI version 9.3.1, update to version 9.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the reminder description field in Tools > Reminder to minimize the risk of exploitation. Avoid using the description field in the affected component until the issue is resolved.