Vulnerability CVE-2022-24868: Information
Description
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.
Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
glpi | sisyphus | 10.0.0-alt1 | 10.0.15-alt1 | ALT-PU-2022-1914-1 | 300291 | Fixed |
glpi | sisyphus_e2k | 10.0.0-alt1 | 10.0.15-alt1 | ALT-PU-2022-5024-1 | - | Fixed |
glpi | p10 | 9.5.8-alt1 | 10.0.15-alt1 | ALT-PU-2022-2177-1 | 303183 | Fixed |
glpi | p10_e2k | 9.5.8-alt1 | 10.0.15-alt1 | ALT-PU-2022-5388-1 | - | Fixed |
glpi | p9 | 9.5.8-alt1 | 9.5.13-alt1 | ALT-PU-2022-2221-1 | 303295 | Fixed |
glpi | p9_e2k | 9.5.8-alt1 | 9.5.13-alt1 | ALT-PU-2022-6118-1 | - | Fixed |
glpi | c10f1 | 10.0.15-alt1 | 10.0.15-alt1 | ALT-PU-2024-8030-2 | 348513 | Fixed |
glpi | c9f2 | 9.5.13-alt1 | 9.5.13-alt1 | ALT-PU-2024-8094-3 | 348598 | Fixed |
glpi | p11 | 10.0.0-alt1 | 10.0.15-alt1 | ALT-PU-2022-1914-1 | 300291 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://github.com/glpi-project/glpi/security/advisories/GHSA-9hg4-fpwv-gx78 |
|
https://github.com/glpi-project/glpi/commit/1aa9fcc4741a46fa5a9f11d71b409b911ffc190f |
|