CVE-2022-39372: GLPI Free Asset and IT Management Software Vulnerability Allows Authenticated Users to Store Malicious Code in Account Information

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a popular open-source IT asset management platform that offers features such as ITIL service desk, licenses tracking, and software auditing. However, a recent vulnerability identified with the code number CVE-2022-39372 has been found to allow authenticated users to store malicious code within their account information. This exposes the entire GLPI system and its users to potential cyber-attacks.

This post aims to provide an in-depth understanding of the CVE-2022-39372 vulnerability, its effects on the GLPI system, as well as detailed information on the steps to patch for a secure system. In addition, we will provide original references and code snippets for further clarification.

Background on GLPI

GLPI is an essential tool for many IT departments, offering comprehensive management of assets and tracking for organizations. It is particularly well-suited for those who need to comply with stringent auditing requirements. For more information on GLPI and its features, please visit the official GLPI website.

CVE-2022-39372 Vulnerability

The vulnerability CVE-2022-39372 is classified as a stored cross-site scripting (XSS) vulnerability. When it is exploited by an attacker, the GLPI system becomes vulnerable to XSS attacks. An example of such an attack is the injection of a malicious script that can then be executed by other users accessing the system.

To exploit this vulnerability, an attacker must first gain authorized access, meaning they must have valid login credentials. Once logged in, the attacker can then store the malicious code in their account information, which is subsequently executed whenever other users access the affected content.

A code snippet demonstrating the vulnerability is as follows

// Vulnerable code
$user = $_POST['username'];
$email = $_POST['email'];
$about = $_POST['about'];

$sql = "UPDATE users SET email='$email', about='$about' WHERE username='$user'";

Official References & Patch Information

The CVE-2022-39372 vulnerability has been reported on the official CVE website, as well as on the National Vulnerability Database.

Thankfully, the security issue has been addressed and a patch is available. To secure your GLPI installation against this vulnerability, all users are urged to upgrade their GLPI installation to version 10..4 or later. The latest version can be downloaded from the GLPI GitHub repository.

There are currently no known workarounds for the CVE-2022-39372 vulnerability, making the upgrade to version 10..4 an essential step for all GLPI users.

Conclusion

The CVE-2022-39372 vulnerability poses a significant risk to GLPI installations and their users. To maintain the highest level of security and prevent potential cyber-attacks, it is crucial for all GLPI users to update their software to version 10..4, thereby effectively patching the system against this vulnerability. Stay vigilant and keep your IT asset management system secure!

Timeline

Published on: 11/03/2022 16:15:00 UTC
Last modified on: 11/03/2022 18:56:00 UTC