CVE-2023-28852 in GLPI
Summary
by MITRE • 04/05/2023
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/06/2023
The vulnerability identified as CVE-2023-28852 affects GLPI, a widely-used open-source asset and IT management software package that serves organizations globally for maintaining their IT infrastructure inventories and operational workflows. This security flaw exists in versions 9.5.0 through 9.5.12 and 10.0.0 through 10.0.6, creating a persistent security risk for organizations relying on this platform. The vulnerability stems from inadequate input validation and sanitization mechanisms within the dashboard administration functionality, allowing malicious actors with appropriate privileges to inject and execute arbitrary code.
The technical flaw manifests through a cross-site scripting vulnerability classified under CWE-79, where authenticated users with dashboard administration rights can manipulate the dashboard form to inject malicious code. This code injection occurs because the application fails to properly sanitize user inputs before storing and rendering dashboard configurations. When other users access the affected dashboard, the malicious code executes in their browser context, potentially leading to session hijacking, data exfiltration, or further compromise of the victim's system. The vulnerability operates at the application layer and can be exploited through the web interface without requiring additional authentication.
The operational impact of this vulnerability extends beyond simple code execution, creating potential for significant data breaches and system compromise within organizations using affected GLPI versions. Attackers can leverage this flaw to gain unauthorized access to sensitive IT asset information, user credentials, or system configurations that are typically protected by the application's access controls. The vulnerability's persistence lies in the stored nature of the malicious code, meaning that once injected, it remains active until manually removed or the software is updated. This makes it particularly dangerous in enterprise environments where dashboard configurations are shared among multiple users and maintained over extended periods.
Organizations should immediately upgrade to GLPI versions 9.5.13 or 10.0.7 to remediate this vulnerability, as these releases contain the necessary patches to prevent malicious code injection. System administrators should conduct comprehensive audits of existing dashboard configurations to identify any potential malicious entries that may have been previously injected. Additional mitigations include implementing network segmentation to limit access to dashboard administration functions, enforcing strict access controls through role-based permissions, and monitoring user activities for suspicious dashboard modifications. The vulnerability aligns with ATT&CK technique T1566, specifically the use of malicious web content, and represents a critical risk for organizations that rely on web-based asset management systems for their IT infrastructure operations.