CVE-2022-39262 – GLPI
GPLI – Stored XSS
GPLI has a feature to customize the “Text in the login box ” , due to a bad sanitization it allows to put some html tag like “form” scheme which allows to execute javascript code.
POC – Proof of concept
- login as user glpi/glpi (admin user)
- go to HOME->SETUP->GENERAL http://yoursite.com/front/config.form.php
- Edit the field (Text in the login box (HTML tags supported)) and insert the payload.
- logout
- try the XSS.
PAYLOAD: <form><button formaction=javascript:alert(document.location)>clickImpact
If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.
Severity
https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L
Reference
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39262
https://huntr.dev/bounties/54fc907e-6983-4c24-b249-1440aac1643c/
https://github.com/glpi-project/glpi/security/advisories/GHSA-4×48-q2wr-cpg4