#VU56689 Improper Neutralization of Special Elements in Output Used by a Downstream Component in GLPI - CVE-2021-39213


Vulnerability identifier: #VU56689

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-39213

CWE-ID: CWE-74

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GLPI
Web applications / CRM systems

Vendor: glpi-project

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper inout validation. A remote authenticated attacker can bypass API with custom header injection.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.1 - 9.5.5

External links
https://github.com/glpi-project/glpi/security/advisories/GHSA-6w9f-2m6g-5777
https://github.com/glpi-project/glpi/releases/tag/9.5.6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in GLPI