CVE-2016-7509
published 2017-07-19CVE-2016-7509: Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted…
PriorityP421medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EPSS
0.64%
46.0th percentile
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | — | — |
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities [epel-7]
bugzilla·2017-07-20·CVSS 8.0
CVE-2016-7507 [HIGH] CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities [epel-7]
CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fed
Bugzilla
CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities
bugzilla·2017-07-20·CVSS 8.0
CVE-2016-7507 [HIGH] CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities
CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities
CVE-2016-7507:
Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows
remote authenticated attackers to submit a request that could lead to
the creation of an admin account in the application.
CVE-2016-7509:
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote
authenticated attackers to inject arbitrary web script or HTML by
attaching a crafted HTML file to a ticket.
Upstream bug:
https://github.com/glpi-project/glpi/issues/2483
Upstream patch:
https://github.com/glpi-project/glpi/commit/fc9363360a12328057b69a29a9f233f0ab113bf4
Discussion:
Created glpi tracking bugs for this issue:
Affects: epel-7 [bug 1473177]
---
Package no longer present in epel.
2017-07-19
Published