CVE-2024-41678 in GLPI
Summary
by MITRE • 11/15/2024
GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/26/2025
The vulnerability identified as CVE-2024-41678 represents a critical reflected cross-site scripting flaw within the GLPI asset and IT management platform. This security weakness affects versions prior to 10.0.17 and stems from the application's insufficient input validation and output encoding mechanisms when processing user-supplied data in HTTP request parameters. The vulnerability specifically manifests when GLPI processes certain URL parameters without adequate sanitization, allowing malicious payloads to be injected and subsequently executed within the context of a victim's browser session.
The technical exploitation of this vulnerability occurs through a server-side reflection mechanism where user-provided input is directly echoed back to the browser without proper HTML encoding or validation. An attacker can craft a malicious URL containing XSS payload and send it to a legitimate GLPI technician via email, chat, or other communication channels. When the technician clicks the malicious link, the payload executes in their browser context, potentially enabling session hijacking, credential theft, or redirection to malicious sites. This type of attack falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental web application security weakness categorized under the OWASP Top Ten as A03:2021 - Injection.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges within the GLPI environment. Since GLPI is commonly used for managing IT assets, network infrastructure, and user accounts, successful exploitation could allow threat actors to access sensitive organizational data, modify asset records, or potentially gain unauthorized access to connected systems. The reflected nature of the vulnerability means that the attack requires user interaction but does not need authentication, making it particularly dangerous in environments where technicians frequently interact with external links or where social engineering attacks are common. This vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as it relies on the technician clicking malicious links to achieve initial compromise.
Organizations utilizing GLPI should immediately implement the recommended upgrade to version 10.0.17 or later to remediate this vulnerability. In addition to the mandatory upgrade, security teams should implement network-level protections such as web application firewalls and content filtering systems to detect and block malicious payloads. Regular security awareness training for IT personnel can help reduce the risk of successful social engineering attacks that leverage this vulnerability. The fix implemented in version 10.0.17 addresses the root cause by introducing proper input validation and output encoding mechanisms throughout the application's parameter handling processes. Organizations should also conduct thorough vulnerability assessments to identify any other potentially affected systems and ensure that all GLPI instances are updated to prevent exploitation.