=====================================================================

                                CERT-Renater

                     Note d'Information No. 2023/VULN147

_____________________________________________________________________

DATE                : 06/04/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GLPI versions prior to 10.0.7,
                                        9.5.13.

=====================================================================
https://github.com/glpi-project/glpi/security/advisories/GHSA-9r84-jpg3-h4m6
https://github.com/glpi-project/glpi/security/advisories/GHSA-2c7r-gf38-358f
https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x
https://github.com/glpi-project/glpi/security/advisories/GHSA-4279-rxmh-gf39
https://github.com/glpi-project/glpi/security/advisories/GHSA-r93q-chh5-jgh4
https://github.com/glpi-project/glpi/security/advisories/GHSA-65gq-p8hg-7m92
https://github.com/glpi-project/glpi/security/advisories/GHSA-55pm-mc2m-pq46
https://github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf
_____________________________________________________________________

SQL injection and Stored XSS via inventory agent request
High
cedric-anne published GHSA-9r84-jpg3-h4m6
Package
glpi (glpi)

Affected versions
>= 10.0.0

Patched versions
10.0.7


Description

Impact

GLPI inventory endpoint can be used to drive a SQL injection
attack. It can also be used to store malicious code that
could be used to perform XSS attack.

By default, GLPI inventory endpoint requires no authentication.


Patches
Upgrade to 10.0.7


Workarounds

Disable native inventory.


For more information

If you have any questions or comments about this advisory,
mail us at glpi-security@ow2.org.


Severity
High

8.6/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
None

Scope
Changed

Confidentiality
High

Integrity
None

Availability
None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVE ID
CVE-2023-28849

Weaknesses
CWE-79 CWE-89


Credits

     @Alemmi Alemmi
_____________________________________________________________________

SQL injection through dynamic reports

High
cedric-anne published GHSA-2c7r-gf38-358f
Package
glpi (glpi)

Affected versions
>= 0.50

Patched versions
9.5.13, 10.0.7


Description

Impact

A SQL Injection vulnerability allow users with access rights
to statistics or reports to extract all data from database and,
in some cases write a webshell on the server.


Workarounds

Remove Assistance > Statistics and Tools > Reports read
rights to every user.


Patches
Upgrade to 10.0.7


For more information

If you have any questions or comments about this advisory,
mail us at glpi-security@ow2.org.

Severity
High

7.7/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
Low

User interaction
None

Scope
Changed

Confidentiality
High

Integrity
None

Availability
None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVE ID
CVE-2023-28838

Weaknesses
CWE-89


Credits

     @carlosevieira carlosevieira 
_____________________________________________________________________

Account takeover by authenticated user
High
cedric-anne published GHSA-7pwm-pg76-3q9x
Package
glpi (glpi)

Affected versions
>= 0.83

Patched versions
9.5.13, 10.0.7


Description

Impact

An authenticated user can modify emails of any user, and can
therefore takeover another user account through the "forgotten
password" feature.
By modifiying emails, the user can also receive sensitive data
through GLPI notifications.


Workarounds

Account takeover can be prevented by deactivating all
notifications related to Forgotten password? event. However, it
will not prevent unauthorized modification of any user emails.


Patches
Upgrade to 10.0.7


For more information

If you have any questions or comments about this advisory,
mail us at glpi-security@ow2.org.

Severity
High

8.1/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
Low

User interaction
None

Scope
Unchanged

Confidentiality
High

Integrity
High

Availability
None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE ID
CVE-2023-28632

Weaknesses
CWE-269

_____________________________________________________________________

Privilege Escalation from technician to super-admin

Moderate
cedric-anne published GHSA-4279-rxmh-gf39
Package
glpi (glpi-project)

Affected versions
>= 0.83

Patched versions
9.5.13, 10.0.7


Description

Impact

A user who has the Technician profile could see and generate
a Personal token for a Super-Admin. Using such token it is
possibile to negotiate a GLPI session and hijack the Super-Admin
account, resulting in a Privilege Escalation.


Patches
Upgrade to 10.0.7.


For more information

If you have any questions or comments about this advisory,
mail us at glpi-security@ow2.org.


Severity
Moderate

6.7/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
High

User interaction
None

Scope
Unchanged

Confidentiality
High

Integrity
High

Availability
Low

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CVE ID
CVE-2023-28634

Weaknesses
CWE-285


Credits

     @smaury smaury 
_____________________________________________________________________

Reflected XSS in search pages

Moderate
cedric-anne published GHSA-r93q-chh5-jgh4
Package
glpi (glpi)

Affected versions
>= 0.85

Patched versions
9.5.13, 10.0.7


Description

Impact

A malicious link can be crafted by an unauthenticated user.
It will be able to exploit a reflected XSS in case any
authenticated user opens the crafted link.


Patches
Upgrade to 10.0.7


For more information

If you have any questions or comments about this advisory,
mail us at glpi-security@ow2.org.

Severity
Moderate

6.5/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
Required

Scope
Unchanged

Confidentiality
High

Integrity
None

Availability
None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE ID
CVE-2023-28639

Weaknesses
CWE-79


Credits

     @Alemmi Alemmi 
_____________________________________________________________________

Stored XSS through dashboard administration

Moderate
cedric-anne published GHSA-65gq-p8hg-7m92
Package
glpi (glpi)

Affected versions
>= 9.5.0

Patched versions
9.5.13, 10.0.7


Description

Impact

A user with dashboard administration rights may hack the
dashboard form to store malicious code that will be executed
when other users will use the related dashboard.


Patches
Upgrade to 10.0.7.


For more information

If you have any questions or comments about this advisory,
mail us at glpi-security@ow2.org.

Severity
Moderate

4.5/ 10
CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
High

User interaction
Required

Scope
Unchanged

Confidentiality
High

Integrity
None

Availability
None

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CVE ID
CVE-2023-28852

Weaknesses
CWE-80


Credits

     @007nicky 007nicky 
_____________________________________________________________________

Stored XSS on external links

Moderate
cedric-anne published GHSA-55pm-mc2m-pq46
Package
glpi (glpi)

Affected versions
>= 0.60

Patched versions
9.5.13, 10.0.7


Description

Impact

This vulnerability allow for an administrator to create
a malicious external link.


Patches
Upgrade to 10.0.7


For more information

If you have any questions or comments about this
advisory, mail us at glpi-security@ow2.org.


Severity
Moderate

4.5/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
High

User interaction
Required

Scope
Unchanged

Confidentiality
High

Integrity
None

Availability
None

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CVE ID
CVE-2023-28636

Weaknesses
CWE-79


Credits

     @Edr4 Edr4 
_____________________________________________________________________

Blind Server-Side Request Forgery (SSRF) in RSS feeds

Low
cedric-anne published GHSA-r57v-j88m-rwwf
Package
glpi (glpi)

Affected versions
>= 0.84

Patched versions
9.5.13, 10.0.7


Description

Impact

Usage of RSS feeds is subject to SSRF exploit.
In case remote address is not a valid RSS feed, a
RSS autodiscovery feature is triggered. This feature
does not check safetiness or URLs.


Patches
Upgrade to 10.0.7.


For more information

If you have any questions or comments about this advisory,
mail us at glpi-security@ow2.org


Severity
Low

3.5/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
High

Privileges required
Low

User interaction
None

Scope
Changed

Confidentiality
Low

Integrity
None

Availability
None

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

CVE ID
CVE-2023-28633

Weaknesses
CWE-918


Credits

     @MrEmpy MrEmpy Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================