Skip to main content

Glpi CVE-2019-1010310

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2019-07-12 josh@bress.net
3.5
CVSS 3.0 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 12, 2019 - 18:15 nvd
LOW 3.5

DescriptionNVD

GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1.

AnalysisAI

GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-74. GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1. Affected products include: Glpi-Project Glpi.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Glpi

View all
CVE-2013-5696 MEDIUM POC
6.8 Sep 23

inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installati

CVE-2025-24799 HIGH POC
7.5 Mar 18

GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers ca

CVE-2022-35914 CRITICAL POC
9.8 Sep 19

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. Rat

CVE-2022-31056 CRITICAL POC
9.8 Jun 28

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking an

CVE-2013-2225 MEDIUM POC
6.4 May 27

inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _pr

CVE-2024-27756 HIGH POC
8.8 Mar 15

GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title. Rated high

CVE-2020-11060 HIGH POC
8.8 May 12

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Rated high severity (

CVE-2019-14666 HIGH POC
8.8 Sep 25

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. Rated hig

CVE-2014-9258 MEDIUM POC
6.5 Dec 19

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to exec

CVE-2024-29889 HIGH POC
8.1 May 07

GLPI is a Free Asset and IT Management Software package. Rated high severity (CVSS 8.1), this vulnerability is remotely

CVE-2013-2226 HIGH POC
7.5 May 14

Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands vi

CVE-2016-7508 HIGH POC
7.5 Jun 21

Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL co

Share

CVE-2019-1010310 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy