Stored XSS - Entity name not sanitize in Ticket creation page in glpi-project/glpi

Valid

Reported on

Oct 26th 2022


Description

An Administrator can set a Cross-Site Scripting (XSS) payload inside an entity name. This XSS will be executed on the Ticket Creation page (Menu -> Assistance -> Create Ticket).

Proof of Concept

1. Set an XSS in Entity name

Set an XSS in Entity name

2. Go to the "Create Ticket" page

Go to the "Create Ticket" page

3. XSS is excuted

XSS is excuted

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, or modifying presentation of content. An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company’s stock price or lessen consumer confidence. An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose.

Source OWASP - Cross Site Scripting (XSS)

References

We are processing your report and will contact the glpi-project/glpi team within 24 hours. a month ago
xanhacks modified the report
a month ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back a month ago
We have sent a follow up to the glpi-project/glpi team. We will try again in 7 days. a month ago
Cédric Anne validated this vulnerability a month ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Cédric Anne marked this as fixed in 10.0.4 with commit 6f208f a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Cédric Anne published this vulnerability a month ago
Entity.php#L3926 has been validated
xanhacks
a month ago

Researcher


Hey, could we assign a CVE id to this vulnerability ?

to join this conversation