CVE-2021-21312

Name of the Vulnerable Software and Affected Versions: GLPI versions prior to 9.5.4

Description: The issue concerns a vulnerability within the document upload function, specifically the "Web Link" form field, which is not properly sanitized. This allows a malicious user with document upload rights to deliver a JavaScript payload. For example, using the payload " accesskey="x" onclick="alert(1)" x=", the content is saved within the database without control. When returning to the summary documents page and clicking on the "Web Link" of the newly created file, it creates a new empty tab, and on the initial tab, a pop-up appears. The vulnerability can be exploited through the /front/document.form.php endpoint.

Recommendations: For versions prior to 9.5.4, update to version 9.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the document upload function, especially the "Web Link" field, to minimize the risk of exploitation. Additionally, avoid using the "Web Link" field in the affected API endpoint until the issue is resolved.