Vulnerability CVE-2021-39210: Information

Description

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-39210
Published: Sept. 15, 2021
Modified: Oct. 25, 2022
Error type identifier: CWE-732

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
glpisisyphus9.5.6-alt110.0.15-alt1ALT-PU-2021-3030-1286922Fixed
glpip109.5.6-alt110.0.15-alt1ALT-PU-2021-3038-1287043Fixed
glpip99.5.6-alt19.5.13-alt1ALT-PU-2021-3059-1287044Fixed
glpic10f19.5.6-alt110.0.15-alt1ALT-PU-2021-3038-1287043Fixed
glpic9f29.5.13-alt19.5.13-alt1ALT-PU-2024-8094-3348598Fixed
glpip119.5.6-alt110.0.15-alt1ALT-PU-2021-3030-1286922Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/glpi-project/glpi/security/advisories/GHSA-hwxq-4c5f-m4v2
  • Third Party Advisory
https://huntr.dev/bounties/b2e99a41-b904-419f-a274-ae383e4925f2/
  • Third Party Advisory
https://github.com/glpi-project/glpi/releases/tag/9.5.6
  • Release Notes
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
      End excliding
      9.5.6
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top