CVE-2019-1010310

low-risk
Published 2019-07-12

GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1.

Do I need to act?

-
0.24% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.5/10 Low
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Glpi-Project

References (4)

Patch https://github.com/glpi-project/glpi/pull/5519
Release Notes https://github.com/glpi-project/glpi/releases/tag/9.3.1
Patch https://github.com/glpi-project/glpi/pull/5519
Release Notes https://github.com/glpi-project/glpi/releases/tag/9.3.1
22
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal