CVE-2022-24868 in GLPI
Summary
by MITRE • 04/21/2022
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/28/2022
The vulnerability CVE-2022-24868 represents a critical cross-site scripting flaw in GLPI versions prior to 10.0.0, specifically targeting the user avatar upload functionality. This issue stems from inadequate input sanitization mechanisms that fail to properly validate and process SVG file uploads, creating an avenue for malicious actors to inject malicious javascript code into user avatars. The vulnerability exists within the core asset and IT management software package that provides ITIL Service Desk features, license tracking, and software auditing capabilities, making it particularly concerning given the widespread adoption of such systems in enterprise environments.
The technical flaw manifests through the absence of proper content sanitization when processing SVG files, which are inherently more complex than traditional image formats due to their ability to contain embedded scripting capabilities. SVG files can contain javascript code within their markup structure, and without proper validation, attackers can embed malicious payloads that execute when the avatar is rendered. This vulnerability specifically affects the user avatar upload mechanism where users can upload profile images, and the system fails to strip or sanitize potentially dangerous elements from SVG content. The flaw aligns with CWE-79, which categorizes cross-site scripting vulnerabilities, and demonstrates how improper input validation can lead to persistent security weaknesses in web applications.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent attack vector that can compromise any user who views the malicious avatar. When a user accesses a page displaying the compromised avatar, their browser executes the injected javascript code, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This vulnerability is particularly dangerous in enterprise environments where GLPI is used for asset management and IT service desk operations, as compromised user sessions could provide attackers with access to sensitive organizational data and system resources. The attack requires minimal user interaction beyond viewing the compromised profile, making it a stealthy and effective vector for credential harvesting and further network compromise.
Organizations utilizing GLPI must prioritize immediate remediation through upgrading to version 10.0.0 or later, which includes proper input sanitization for SVG file uploads. System administrators should implement comprehensive security measures including disabling SVG avatar uploads as a temporary mitigation strategy, while also conducting thorough security audits of existing user avatars to identify and remove any potentially compromised content. The vulnerability demonstrates the importance of proper input validation and content sanitization in web applications, particularly for file upload functionality. Organizations should also consider implementing additional security controls such as web application firewalls and content security policies to provide defense-in-depth against similar vulnerabilities. This incident underscores the necessity of regular security updates and proper security testing of third-party applications, as highlighted in the ATT&CK framework's methodology for identifying and mitigating web application vulnerabilities through proper input validation and sanitization techniques.