Recently, a vulnerability designated CVE-2022-39373 was disclosed in GLPI (Gestionnaire Libre de Parc Informatique), a popular open-source IT and asset management software suite. This vulnerability allows an attacker to store malicious code in the entity name, leading to potential Cross-Site Scripting (XSS) attacks. This post will delve into what this vulnerability entails, how an attacker can exploit it, and the steps administrators should take to remediate the threat.

GLPI stands for Gestionnaire Libre de Parc Informatique and is a widely-used free asset and IT management software suite. Incorporating ITIL Service Desk functionality alongside license tracking and software auditing, GLPI provides a powerful toolset for managing a range of IT assets and supporting users. However, the CVE-2022-39373 vulnerability presents a critical risk to organizations running vulnerable versions of GLPI.

Original References

1. NVD - CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-39373
2. GLPI Official Security Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-4q2j-mf4x-4pf5

Exploit Details

The underlying issue in CVE-2022-39373 is that GLPI does not properly sanitize input for the entity name before storing it in the system. Consequently, an authenticated attacker with administrative privileges can create or edit an entity and inject malicious code, such as JavaScript, into the entity's name field.

Here's a sample code snippet demonstrating how this can be done

POST /glpi/front/entity.form.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: [Length]

name=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&action=add&id=1

When the stored malicious code is rendered in the browser view, it may execute in the context of the vulnerable application, potentially leading to Stored Cross-Site Scripting (XSS) attacks. This could compromise user data, export sensitive information, perform actions on behalf of the user, or lead to other security risks.

Remediation Steps

The developers of GLPI acknowledge this vulnerability and have released a patch as part of the 10..4 version. To mitigate the risks associated with CVE-2022-39373, administrators should do the following:

Review and confirm that your GLPI installations are affected by this vulnerability.

2. Download and upgrade to the latest GLPI version (10..4) from the official GLPI repository: https://github.com/glpi-project/glpi/releases/tag/10..4
3. Test the upgraded version in your environment and confirm that no functionality is adversely affected.

By upgrading to GLPI version 10..4, administrators can effectively address the CVE-2022-39373 vulnerability within their environments and reduce the risk posed by stored XSS attacks.

Conclusion

In summary, CVE-2022-39373 is a critical vulnerability affecting GLPI software, which can lead to stored XSS attacks if not properly addressed. By becoming familiar with the exploit details, understanding its potential impact, and taking the necessary remediation steps, organizations can protect their valuable IT assets and deliver a more secure experience for their users.

Timeline

Published on: 11/03/2022 16:15:00 UTC
Last modified on: 11/03/2022 18:59:00 UTC