CVE-2022-39371 - GLPI Asset and IT Management Software Script Injection Vulnerability and Exploit Details

In this in-depth article, we will be discussing CVE-2022-39371, a vulnerability that was recently discovered in GLPI, or Gestionnaire Libre de Parc Informatique, which is a popular open-source IT asset management solution. This vulnerability exists due to improper neutralization of script-related HTML tags in the assets inventory information module of GLPI. In this article, we will be providing detailed information regarding the vulnerability such as code snippets, links to original references, and a detailed explanation of the exploit details.

Before we proceed, it is essential to note that this particular issue has been patched in version 10..4 of GLPI. So, if you have not already updated to the latest version, we highly recommend doing so to mitigate this vulnerability. Currently, there are no known workarounds for this issue other than upgrading to version 10..4.

Now, let us dive into the details of this vulnerability.

Code Snippet

The following code snippet demonstrates how the vulnerability arises due to incorrect handling of script-related HTML tags within the assets inventory information:

// Example vulnerable code in GLPI
$input = $_GET['user_input'];

// No proper neutralization of script-related HTML tags
echo "<div class='asset_inventory_information'>{$input}</div>";

As we can see from the code snippet above, user-input data is directly echoed without proper sanitization, which could lead to the insertion of malicious scripts within the assets inventory information module.

Exploit Details

An attacker could exploit this vulnerability by injecting a malicious script into the user-input data, like so:

http://vulnerable.site/glpi/?user_input=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E

The above URL containing the user-input data with the malicious script would execute the injected JavaScript code once it is processed by the server. This causes the vulnerable GLPI application to display an alert with the message "XSS".

Such an attack, commonly known as a Cross-Site Scripting (XSS) attack, could have various adverse consequences, including but not limited to:

Further information and details about CVE-2022-39371 can be found in the links below

- Official CVE Page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39371
- GLPI Official Website: https://glpi-project.org/
- GLPI Github Repository: https://github.com/glpi-project/glpi
- Update Announcement: https://github.com/glpi-project/glpi/releases/tag/10..4

Conclusion

In conclusion, CVE-2022-39371 is a severe vulnerability that affects versions of GLPI prior to version 10..4. It arises due to improper handling of script-related HTML tags within the assets inventory information module, allowing a malicious attacker to inject and execute harmful scripts within the application. If you are running an older version of GLPI, we strongly recommend updating to version 10..4 to mitigate this vulnerability.

Timeline

Published on: 11/03/2022 16:15:00 UTC
Last modified on: 11/03/2022 18:52:00 UTC