Vulnerability CVE-2020-15177: Information

Description

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-15177
Published: Oct. 7, 2020
Modified: Oct. 16, 2020
Error type identifier: CWE-79

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
glpisisyphus9.5.2-alt210.0.15-alt1ALT-PU-2020-3130-1260499Fixed
glpip109.5.2-alt210.0.15-alt1ALT-PU-2020-3130-1260499Fixed
glpip99.5.2-alt29.5.13-alt1ALT-PU-2020-3162-1260536Fixed
glpic10f19.5.2-alt29.5.13-alt1ALT-PU-2020-3130-1260499Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/glpi-project/glpi/security/advisories/GHSA-prvh-9m4h-4m79
  • Third Party Advisory
https://github.com/glpi-project/glpi/commit/a8109d4ee970a222faf48cf48fae2d2f06465796
  • Patch
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
      End excliding
      9.5.2
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.0
Back to top