Stored XSS in glpi-project/glpi

Valid

Reported on

Sep 26th 2022


Description

openemr has a feature to customize the "Text in the login box " , due to a bad sanitization it allows to put some html tag like "form" scheme which allows to execute javascript code.

  1. login as user glpi/glpi (admin user)
  2. go to HOME->SETUP->GENERAL http://yoursite.com/front/config.form.php
  3. Edit the field (Text in the login box (HTML tags supported)) and insert the payload.
  4. logout
  5. try the XSS.

Proof of Concept

PAYLOAD: <form><button formaction=javascript:alert(document.location)>click

Poc

Impact

The impact is JavaScript Code Execution, an attacker can steal user cretential or other things. However, admin privileges are required to edit the vulnerable input fields.

We are processing your report and will contact the glpi-project/glpi team within 24 hours. a year ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back a year ago
glpi-project/glpi maintainer has acknowledged this report a year ago
Alexandre Delaunay modified the Severity from Medium (6.4) to Low (2.4) a year ago
Hakiduck modified the report
a year ago
Alexandre Delaunay modified the Severity from Low (2.4) to Medium (5.2) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alexandre Delaunay validated this vulnerability a year ago
Hakiduck has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the glpi-project/glpi team. We will try again in 7 days. a year ago
Hakiduck
a year ago

Researcher


Hi @admin, can you please assign CVE-2022-39262 to this bug ?

We have sent a second fix follow up to the glpi-project/glpi team. We will try again in 10 days. a year ago
Ben Harvie
a year ago

Admin


Hi Hakiduck,

I'm afraid we can only assign CVEs to reports that have been assigned by huntr.dev and not by any other CNAs.

We have sent a third and final fix follow up to the glpi-project/glpi team. This report is now considered stale. a year ago
Cédric Anne marked this as fixed in 10.0.4 with commit 8505fb a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Cédric Anne published this vulnerability a year ago
to join this conversation