Improper Input Validation on emails links in glpi-project/glpi


Reported on

Oct 28th 2022


In GLPI, users can add their own email addresses to their accounts. However, there is a lack of validation which allows users to add new fields into the mailto: link.

Email links support multiple parameters like :

  • cc
  • bcc
  • body
  • subject
  • multiple emails (email1, email2, ...)
  • ...

Example : mailto:someone@somedomain.tld?subject=Hello&body=Hello%20World

Proof of Concept

Whatever account can set his email address in his settings

If someone click on the hyperlink, it can be tricked to send an email to someone else

Social engineering

It is hard to notice that the staff email on the screenshot is linked to another domain.

I used, !=


A victim could send sensitive information to an attacker via email.


We are processing your report and will contact the glpi-project/glpi team within 24 hours. a year ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back a year ago
Cédric Anne validated this vulnerability a year ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Cédric Anne marked this as fixed in 10.0.4 with commit 7dc87c a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation