GLPI is a well-known open source IT and asset management solution. Many teams use its features for handling tickets, resources, and even project planning. To expand its capabilities, the tasklists plugin gives users a Kanban board view—perfect for organizing projects. But if you were running a version of this plugin before 2..3, here’s what you need to know: your GLPI instance was vulnerable to a nasty Cross-site Scripting (XSS) bug tracked as CVE-2022-39398.
Let’s dive into the details, see how the flaw works, check out a code snippet of the vulnerability, and talk about how attackers could exploit your system.
What Is CVE-2022-39398?
CVE-2022-39398 is a Cross-site Scripting (XSS) vulnerability in the tasklists plugin for GLPI. The flaw allows an attacker to inject malicious JavaScript into task content while adding a new task. When another user opens the Kanban board or the particular task, the injected script runs in their session.
Affected Versions:
All versions prior to 2..3
Patched in: 2..3
No workaround: You must update to stay safe.
What Is XSS and Why Should I Care?
XSS means an attacker can insert code (like JavaScript) that runs when someone else visits a particular page. That code can steal cookies, redirect users, manipulate pages—basically hijack your users’ sessions or trick them into doing things they shouldn’t.
How the Vulnerability Works
The flaw was found in how the task content field is processed when adding a task. Versions before 2..3 did not properly sanitize HTML in user input. This meant that if you created a new task and wrote this as the task content:
<script>alert('XSS in Your GLPI!');</script>
…the Kanban board would save it, and anyone viewing the board with that task would immediately see an alert pop up—and the attacker could do much more than pop alerts.
This would look like
!Example: Malicious task content XSS
*Image simulation – the attacker adds a script as the task content.*
Example of the Vulnerable Code
For exclusive insight, here’s a conceptual PHP snippet of how unsanitized input could have caused the problem:
// Before version 2..3 (vulnerable):
echo "<div class='task-content'>" . $_POST['content'] . "</div>";
// This echoes whatever is submitted as 'content', including scripts!
What should be done instead?
// Proper fix (sanitizing input):
echo "<div class='task-content'>" . htmlspecialchars($_POST['content']) . "</div>";
The htmlspecialchars function escapes special characters such as <, >, and ", so scripts can’t run.
Attacker logs in (with normal, non-admin permissions).
2. They navigate to the Kanban plugin, create a new task, and use the "content" field to insert <script>...</script> code.
Unsuspecting user or admin opens the Kanban board.
4. The malicious script executes in the unsuspecting user's browser—maybe stealing their session cookie or redirecting them.
That means anyone with access to add or edit tasks could attack other users, including admins.
No Workarounds, Patch Required
The maintainers patched this in 2..3 by sanitizing task content. There are no other workarounds—if you run tasklists < 2..3 on your GLPI, you are vulnerable!
What To Do
- Update now: Visit the tasklists releases page and get version 2..3 or later.
- Audit user activity: If you’ve been running a vulnerable version and see suspicious Kanban tasks with script tags, assume accounts may be compromised.
- Educate users: Remind them not to use Kanban notes to store sensitive info unless the system is fully updated.
References
- CVE-2022-39398 on GitHub Advisory Database
- GLPI tasklists Plugin Releases
- Full Github Issue / Advisory
Final Thoughts
Cross-site Scripting bugs are some of the oldest—yet hardest-hitting—security flaws on the web. If you manage a GLPI system with tasklists installed, don’t play with fire. Update the plugin to 2..3 or newer as soon as possible.
*Stay safe, and make sure your Kanban stays your team workspace, not an attacker’s playground!*
Timeline
Published on: 11/10/2022 01:15:00 UTC
Last modified on: 11/11/2022 02:00:00 UTC