CVE-2022-39376: Critical Vulnerability in GLPI 10..3 and Earlier Allows for HTML Injection in Mailto Links

GLPI, which is an acronym for Gestionnaire Libre de Parc Informatique, is a free, open-source software aimed at managing and maintaining IT assets. It offers several critical features such as ITIL Service Desk, license tracking, and software auditing. However, a recent critical vulnerability has been identified in GLPI versions 10..3 and earlier. This vulnerability, labeled as CVE-2022-39376, enables users to inject custom fields values in mailto links. The good news is that a patch has been released, so users are advised to upgrade to version 10..4. Read on to explore the details of this issue and learn about the fixes available.

Exploit Details

The vulnerability, CVE-2022-39376, results from improper input validation and output encoding in the mailto links in some of the GLPI components. This flaw would allow any potential attacker to craft malicious HTML containing custom field values that could be injected into these mailto links. As a result, the attacker would be able to execute arbitrary HTML or JavaScript code in the victim's browser when the malicious link is clicked, leading to potential phishing attacks, session hijacking, or exfiltration of sensitive information.

Here's a simplified code snippet demonstrating the vulnerability

function createMailtoLink($email, $subject, $content) {
  return "mailto:" . $email . "?subject=" . $subject . "&body=" . $content;
}

$mailtoLink = createMailtoLink("user@example.com", "<script>alert('XSS');</script>", "
Hi,


Your account has been upgraded.


Best regards,

Admin");

In this code snippet, the $subject variable contains malicious JavaScript code, which is then injected into the mailto link via the createMailtoLink() function. When the victim clicks the mailto link, the JavaScript code is executed.

For more information and technical details about this vulnerability, refer to the following sources

1. CVE Details - CVE-2022-39376
2. GLPI Security Advisory - GLPI-SA-2022-01
3. National Vulnerability Database Entry - CVE-2022-39376

Mitigation and Patch Information

As mentioned earlier, the GLPI development team has already released a patch addressing this vulnerability. To protect your GLPI installation from potential attacks that might exploit this issue, you should upgrade to version 10..4 immediately. Find the latest release and update instructions on the GLPI GitHub page.

Please note that there are no known workarounds to address this issue without applying the patch, so upgrading to the latest version is essential for ensuring your GLPI installation's security.

Conclusion

The recently discovered CVE-2022-39376 vulnerability poses a significant risk to GLPI installations utilizing version 10..3 or earlier. Users must act promptly to upgrade their systems to version 10..4 to stay secure and protect their IT assets from potential attacks exploiting this vulnerability. Always maintain proper security practices and keep your software up-to-date, reducing the overall risk of vulnerabilities going unnoticed or being exploited by malicious actors.

Timeline

Published on: 11/03/2022 16:15:00 UTC
Last modified on: 11/03/2022 19:11:00 UTC