SB2021030314 - Multiple vulnerabilities in GLPI
Published: March 3, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21326)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
2) Missing Authorization (CVE-ID: CVE-2021-21255)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to insecure direct object reference (IDOR) issue. A remote attacker can switch entities with IDOR from a logged in user.
3) Cross-site scripting (CVE-ID: CVE-2021-21258)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in ajax/kanban. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Cross-site scripting (CVE-ID: CVE-2021-21314)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on ticket update. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Stored cross-site scripting (CVE-ID: CVE-2021-21312)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on documents. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Cross-site scripting (CVE-ID: CVE-2021-21313)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on tabs. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Stored cross-site scripting (CVE-ID: CVE-2021-21325)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in budget type. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Unsafe reflection (CVE-ID: CVE-2021-21327)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to unsafe reflection in getItemForItemtype(). A remote attacker can gain elevated privileges on the system.
9) Missing Authorization (CVE-ID: CVE-2021-21324)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to insecure direct object reference (IDOR) issue on "Solutions". A remote attacker can delete arbitrary posts.
Remediation
Install update from vendor's website.
References
- https://github.com/glpi-project/glpi/releases/tag/9.5.4
- https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc
- https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j
- https://github.com/glpi-project/glpi/commit/e7802fc051696de1f76108ea8dc3bd4e2c880f15
- https://github.com/glpi-project/glpi/security/advisories/GHSA-j4xj-4qmc-mmmx