VYPR
Unrated severityNVD Advisory· Published Oct 7, 2020· Updated Aug 4, 2024

Unauthenticated Stored XSS in GLPI

CVE-2020-15177

Description

In GLPI before version 9.5.2, the install/install.php endpoint insecurely stores user input into the database as url_base and url_base_api. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.

Affected products

2
  • Glpi Project/Glpillm-fuzzy2 versions
    <9.5.2+ 1 more
    • (no CPE)range: <9.5.2
    • (no CPE)range: >= 0.65, < 9.5.2

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.