SB2019092463 - Multiple vulnerabilities in GLPI

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the rich text field when rendering user-supplied content. A remote attacker can inject a specially crafted script payload to execute arbitrary script in a victim's browser.

2) Improper access control (CVE-ID: CVE-2019-14666)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the autocompletion feature when handling autocomplete requests. A remote user can use an unprivileged account to retrieve sensitive data from other users to disclose sensitive information.

Remediation

Install update from vendor's website.

References

• https://github.com/glpi-project/glpi/security/advisories/GHSA-vqg5-7m7m-m3rw
• https://github.com/glpi-project/glpi/security/advisories/GHSA-47hq-pfrr-jh5q