Vulnerability CVE-2021-3486: Information
Description
GLPi 9.5.4 does not sanitize the metadata. This way its possible to insert XSS into plugins to execute JavaScript code.
Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
glpi | sisyphus | 9.5.5-alt1 | 10.0.15-alt1 | ALT-PU-2021-1793-1 | 271713 | Fixed |
glpi | p10 | 9.5.5-alt1 | 10.0.15-alt1 | ALT-PU-2021-1793-1 | 271713 | Fixed |
glpi | p9 | 9.5.5-alt1 | 9.5.13-alt1 | ALT-PU-2021-1910-1 | 272696 | Fixed |
glpi | c10f1 | 9.5.5-alt1 | 10.0.15-alt1 | ALT-PU-2021-1793-1 | 271713 | Fixed |
glpi | c9f2 | 9.5.13-alt1 | 9.5.13-alt1 | ALT-PU-2024-8094-3 | 348598 | Fixed |
glpi | p11 | 9.5.5-alt1 | 10.0.15-alt1 | ALT-PU-2021-1793-1 | 271713 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://n3k00n3.github.io/blog/09042021/glpi_xss.html |
|
https://github.com/Kitsun3Sec/exploits/tree/master/cms/GLPI/GLPI-stored-XSS |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1947653 |
|