CVE-2020-15177

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 9.5.2

Description The issue concerns insecure storage of user input into the database as url base and url base api. These settings are used throughout the application, allowing for vulnerabilities such as Cross-Site Scripting and Insecure Redirection. Since authentication is not required to make these changes, anyone could modify these fields to point to malicious websites or craft form input to trigger XSS, potentially leveraging JavaScript to steal cookies or perform actions as the user.

Recommendations For versions prior to 9.5.2, update to version 9.5.2 to resolve the issue. As a temporary workaround, consider restricting access to the install/install.php endpoint to prevent unauthorized changes to the url base and url base api settings. Avoid using the url base and url base api variables in a way that could trigger XSS until the issue is resolved.