SB2022091469 - Multiple vulnerabilities in GLPI

Description

This security bulletin contains information about 5 vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2022-36112)

The vulnerability allows a remote user to scan ports or services on the GLPI server or its private network.

The vulnerability exists due to server-side request forgery in RSS feeds and planning when processing RSS feeds or external calendar data. A remote user can supply a crafted feed or calendar source to scan ports or services on the GLPI server or its private network.

Query responses are not exposed to the end user.

2) Input validation error (CVE-ID: CVE-2022-35946)

The vulnerability allows a remote user to alter database data.

The vulnerability exists due to improper input validation in the plugin controller when handling request input. A remote privileged user can send a specially crafted request to alter database data.

The issue can be used to access the low-level API of the Plugin class.

3) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-31187)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper neutralization of script-related html tags in global search when rendering search content. A remote user can inject script-related html tags to cause a denial of service.

4) Information disclosure (CVE-ID: CVE-2022-31143)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the login page error handling when handling login errors. A remote attacker can trigger a login page error to disclose sensitive information.

Passwords are not exposed.

5) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-35945)

The vulnerability allows a remote user to steal an administrator cookie.

The vulnerability exists due to improper neutralization of script-related html tags in the registration key configuration page when rendering information associated with a registration key. A remote user can create a crafted registration key to steal an administrator cookie.

Remediation

Install update from vendor's website.

References

• https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv
• https://github.com/glpi-project/glpi/security/advisories/GHSA-92q5-pfr8-r9r2
• https://github.com/advisories/GHSA-92q5-pfr8-r9r2
• https://github.com/glpi-project/glpi/security/advisories/GHSA-43j5-xhvj-9236
• https://github.com/glpi-project/glpi/security/advisories/GHSA-6mmq-x3j2-677j
• https://github.com/glpi-project/glpi/security/advisories/GHSA-jrgw-cx24-56x5