Vulnerability CVE-2021-3486: Information

Description

GLPi 9.5.4 does not sanitize the metadata. This way its possible to insert XSS into plugins to execute JavaScript code.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3486

Published: May 27, 2021

Modified: Dec. 21, 2022

Error type identifier: CWE-79

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
glpi	sisyphus	9.5.5-alt1	10.0.15-alt1	ALT-PU-2021-1793-1	271713	Fixed
glpi	p10	9.5.5-alt1	10.0.15-alt1	ALT-PU-2021-1793-1	271713	Fixed
glpi	p9	9.5.5-alt1	9.5.13-alt1	ALT-PU-2021-1910-1	272696	Fixed
glpi	c10f1	9.5.5-alt1	10.0.15-alt1	ALT-PU-2021-1793-1	271713	Fixed
glpi	c9f2	9.5.13-alt1	9.5.13-alt1	ALT-PU-2024-8094-3	348598	Fixed
glpi	p11	9.5.5-alt1	10.0.15-alt1	ALT-PU-2021-1793-1	271713	Fixed

Hyperlink	Resource
https://n3k00n3.github.io/blog/09042021/glpi_xss.html	Exploit Third Party Advisory
https://github.com/Kitsun3Sec/exploits/tree/master/cms/GLPI/GLPI-stored-XSS	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1947653	Issue Tracking

Affected configurations:
1. Configuration 1
  cpe:2.3:a:glpi-project:glpi:9.5.4:*:*:*:*:*:*:*

Version: v24.5.3