CVE-2019-1010310

Severity Score

3.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1.

El producto GLPI versión 9.3.1 de GLPI, está afectado por: Inyección de etiquetas de marcos y formularios permitiendo a los administradores hacer phishing mediante la colocación de código en una descripción de recordatorio. El impacto es: los administradores pueden engañar a cualquier usuario o grupo de usuarios para obtener credenciales y tarjetas de crédito. El componente es: Tools ) Reminder ) Description .. Ajustar la descripción en cualquier etiqueta iframe/form y aplicar. El vector de ataque es: el atacante coloca un formulario de inicio de sesión, el usuario lo completa y hace clic en enviar. La petición se envía hacia el dominio del atacante que guarda los datos. La versión corregida es: 9.4.1.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-20 CVE Reserved
2019-07-12 CVE Published
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CAPEC

References (2)

URL	Tag	Source
https://github.com/glpi-project/glpi/releases/tag/9.3.1	Release Notes

URL	Date	SRC

URL	Date	SRC
https://github.com/glpi-project/glpi/pull/5519	2020-08-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Glpi-project Search vendor "Glpi-project"		Glpi Search vendor "Glpi-project" for product "Glpi"				9.3.1 Search vendor "Glpi-project" for product "Glpi" and version "9.3.1"		-		Affected