CVE-2019-1010307

Published: Jul 15, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" feature, 3- a request to the endpoint fetches js and executes it.

Vendor	Product	Versions
GLPI	GLPI Product	affected `9.3.1`

References

https://github.com/glpi-project/glpi/releases/tag/9.3.1

x_refsource_MISC

https://github.com/glpi-project/glpi/blob/9.4/bugfixes/ajax/getDropdownValue.php

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-1010307

Description

Affected Products

References