XSS on external links bypass filters in glpi-project/glpi


Reported on

Feb 20th 2023


I recently found a bypass for external links that allows an attacker to inject javascript into external links

Proof of Concept

As an admin user

Go to /front/link.form.php?id=1

Using a special character before the javascript:alert(1) this bypasses the filters and the protocol still works

copy and paste the character HERE

Replace the X by the special character

Create an external link and put has value for the payload Xjavascript:alert(1)

Assign this link to budgets (example)

As a regular user

Go to /front/budget.form.php?id=1

Click on the links tab

Move the mouse over the link

XSS triggered


This vulnerability would potentially allow attackers to hijack the user's current session, steal relevant information, deface the website or direct users to malicious websites, and there is even the possibility of escalating the level of exploitation or more advanced attacks (for example, create privileged users ).

We are processing your report and will contact the glpi-project/glpi team within 24 hours. 3 months ago
Edra modified the report
3 months ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 3 months ago
glpi-project/glpi maintainer modified the Severity from Medium (4.5) to Medium (4.5) 3 months ago
Cédric Anne
3 months ago


See https://github.com/glpi-project/glpi/security/advisories/GHSA-55pm-mc2m-pq46

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Cédric Anne validated this vulnerability 3 months ago
Edra has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Cédric Anne marked this as fixed in 10.0.7 with commit 5ed5ce 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Cédric Anne published this vulnerability 2 months ago
to join this conversation