CVE-2019-1010310Injection in Product

CWE-74Injection6 documents4 sources
Severity
3.5LOWNVD
EPSS
0.2%
top 53.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Glpi ProductGlpi-project Glpi
Timeline
PublishedJul 12
Latest updateMay 24

Description

GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:NExploitability: 0.9 | Impact: 2.5

Affected Packages2 packages

CVEListV5glpi/glpi_product9.3.1 [fixed: 9.4.1]

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-3fmc-jv5p-q6h3: GLPI GLPI Product 92022-05-24
OSV
CVE-2019-1010310: GLPI GLPI Product 92019-07-12

💬Community

3
Bugzilla
CVE-2019-1010310 glpi: Frame and Form tags Injection in Tools > Reminder > Description section2019-08-02
Bugzilla
CVE-2019-1010310 glpi: Frame and Form tags Injection in Tools > Reminder > Description section [fedora-29]2019-08-02
Bugzilla
CVE-2019-1010310 glpi: Frame and Form tags Injection in Tools > Reminder > Description section [epel-7]2019-08-02