CVE-2022-39373 - Dangerous Code Execution in GLPI's Entity Name Function—Explained with Examples

Before diving into the vulnerability, let's quickly talk about GLPI. It stands for _Gestionnaire Libre de Parc Informatique_. In plain English, it’s a free and open source IT management solution. Sysadmins all over the world use GLPI to keep tabs on computers, licenses, assets, and to manage IT service requests (ITIL style).

GLPI is quite powerful and helps organizations keep everything tidy. But in late 2022, a dangerous vulnerability popped up—a bug that could let bad actors inject and run malicious scripts right from the application’s admin panel.

Let’s break CVE-2022-39373 down step-by-step, see how it can be exploited, and learn how to stay safe.

What is CVE-2022-39373?

CVE-2022-39373 is a security vulnerability found in GLPI versions before 10..4.

In a nutshell:
An administrator could store malicious code inside an "entity name." If anyone loads a page with that name, the code runs in their browser—opening the door to Cross-Site Scripting (XSS) attacks.

The bug was serious enough to get its own official identifier: CVE-2022-39373.

Who Is At Risk?

GLPI installations running versions before 10..4.

If your organization uses GLPI and hasn’t upgraded past version 10..3, you’re vulnerable and need to update immediately.

The Core Issue

In GLPI, system administrators can create and edit “entities” (think: business divisions, offices, or departments). Each entity has a name, and that name gets displayed all over the interface.

The bug: GLPI wasn’t properly sanitizing (cleaning) that name field. That means JavaScript or HTML injected into the name could actually run. For example:

<script>alert('Hacked!');</script>

If someone (even a trusted admin!) enters this as an entity name, anyone who visits pages referencing that entity will see the alert box—proof that any code could execute.

Save the entity.

5. Now, when any user views or selects this entity in GLPI, the embedded JavaScript runs. In a real-world attack, instead of an alert, the script could steal session cookies or perform malicious actions as the victim user.

What Makes This Bad?

- Privilege escalation: An attacker with admin access can target other users with more privileges (like super-admins).

Cookie theft: Attackers could steal authentication cookies, giving them full access.

- Wider compromise: If reused elsewhere, the same bug could let attackers move laterally across systems.

Safe Now? Only If You Upgrade

The GLPI developers fixed this in version 10..4, released in late 2022. They added proper output escaping/sanitizing—so scripts in entity names are displayed as harmless text.

Upgrade GLPI to 10..4 or later.

- GLPI Releases on GitHub
- Official website: https://glpi-project.org

Why Does This Happen So Often?

User input (names, descriptions, etc.) is everywhere in web applications. If developers ever forget to sanitize this input before displaying it in pages, attackers can slip in scripts and break the trust of the application.

Additional References

- CVE-2022-39373 (NIST NVD)
- GLPI Security Advisory 2022-2
- GLPI GitHub Repository

The Takeaway

CVE-2022-39373 is a classic but critical security flaw in the widely used GLPI IT management software. If your organization runs GLPI, make sure you’re using 10..4 or later. Bugs like this highlight why regular patching is a must—admin rights don’t mean absolute trust, and sanitizing every bit of user input is the golden rule of secure web development.

Timeline

Published on: 11/03/2022 16:15:00 UTC
Last modified on: 11/03/2022 18:59:00 UTC