CVE-2021-21313

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 9.5.4

Description The issue concerns a vulnerability in the "/ajax/common.tabs.php" endpoint, where at least two parameters, target and id, are not properly sanitized. This can be exploited using specific payloads, depending on which parameter is targeted. For example, the endpoint can be exploited by manipulating the target and id parameters to execute malicious code, such as alerting the document cookie.

Recommendations For versions prior to 9.5.4, update to version 9.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ajax/common.tabs.php" endpoint until a patch is applied. Avoid using the parameters target and id in the affected API endpoint until the issue is resolved.

Fix

Special Elements Injection

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-79

Related Identifiers

ALT-PU-2021-1583

ALT-PU-2021-1660

ALT-PU-2024-8094

CVE-2021-21313

GHSA-H4HJ-MRPG-XFGX

Affected Products

Alt Linux

Glpi

CVE-2021-21313

Weakness Enumeration

Related Identifiers

Affected Products

References · 9