CVE-2020-15177

CVE-2020-15177

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it’s possible to steal cookies, perform actions as the user, etc.

The issue is patched in version 9.5.2.

Source: CVE-2020-15177

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다