Multiple vulnerabilities in GLPI



Published: 2021-03-03
Risk High
Patch available YES
Number of vulnerabilities 9
CVE ID CVE-2021-21326
CVE-2021-21255
CVE-2021-21258
CVE-2021-21314
CVE-2021-21312
CVE-2021-21313
CVE-2021-21325
CVE-2021-21327
CVE-2021-21324
CWE ID CWE-264
CWE-862
CWE-79
CWE-470
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
GLPI
Web applications / CRM systems

Vendor glpi-project

Security Advisory

1) Permissions, Privileges, and Access Controls

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21326

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 0.20, 0.20.1, 0.21, 0.30, 0.31, 0.40, 0.41, 0.42, 0.50, 0.51, 0.51a, 0.60, 0.65, 0.68, 0.68.1, 0.68.2, 0.68.3, 0.70, 0.70.1, 0.70.2, 0.71, 0.71.1, 0.71.2, 0.71.3, 0.71.4, 0.71.5, 0.71.6, 0.72, 0.72.1, 0.72.2, 0.72.3, 0.72.4, 0.72.21, 0.78, 0.78.1, 0.78.2, 0.78.3, 0.78.4, 0.78.5, 0.80, 0.80.1, 0.80.2, 0.80.3, 0.80.4, 0.80.5, 0.80.6, 0.80.7, 0.80.61, 0.83, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.83.7, 0.83.8, 0.83.9, 0.83.31, 0.83.91, 0.84, 0.84.1, 0.84.2, 0.84.3, 0.84.4, 0.84.5, 0.84.6, 0.84.7, 0.84.8, 0.85, 0.85.1, 0.85.2, 0.85.3, 0.85.4, 0.85.5, 0.90, 0.90.1, 0.90.2, 0.90.3, 0.90.4, 0.90.5, 9.1, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.7.1, 9.2, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.1.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.5.0, 9.5.1, 9.5.2, 9.5.3

CPE External links

https://github.com/glpi-project/glpi/releases/tag/9.5.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Missing Authorization

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21255

CWE-ID: CWE-862 - Missing Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system. 

The vulnerability exists due to insecure direct object reference (IDOR) issue. A remote attacker can switch entities with IDOR from a logged in user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.5.3

CPE External links

https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc
https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21258

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in ajax/kanban. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.5.0, 9.5.1, 9.5.2, 9.5.3

CPE External links

https://github.com/glpi-project/glpi/commit/e7802fc051696de1f76108ea8dc3bd4e2c880f15
https://github.com/glpi-project/glpi/security/advisories/GHSA-j4xj-4qmc-mmmx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cross-site scripting

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21314

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data on ticket update. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.5.0, 9.5.1, 9.5.2, 9.5.3

CPE External links

https://github.com/glpi-project/glpi/releases/tag/9.5.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Stored cross-site scripting

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21312

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data on documents. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.5.0, 9.5.1, 9.5.2, 9.5.3

CPE External links

https://github.com/glpi-project/glpi/releases/tag/9.5.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21313

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data on tabs. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.5.0, 9.5.1, 9.5.2, 9.5.3

CPE External links

https://github.com/glpi-project/glpi/releases/tag/9.5.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Stored cross-site scripting

Risk: Low

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21325

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in budget type. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.5.0, 9.5.1, 9.5.2, 9.5.3

CPE External links

https://github.com/glpi-project/glpi/releases/tag/9.5.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Unsafe reflection

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21327

CWE-ID: CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to unsafe reflection in getItemForItemtype(). A remote attacker can gain elevated privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.5.0, 9.5.1, 9.5.2, 9.5.3

CPE External links

https://github.com/glpi-project/glpi/releases/tag/9.5.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Missing Authorization

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-21324

CWE-ID: CWE-862 - Missing Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to insecure direct object reference (IDOR) issue on "Solutions". A remote attacker can delete arbitrary posts.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.5.3

CPE External links

https://github.com/glpi-project/glpi/releases/tag/9.5.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###