← Back to CVE List

CVE-2020-15177

Published: 2020-10-07T19:15Z
Last Modified: 2024-11-21T05:05Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt