1473176 – (CVE-2016-7507, CVE-2016-7509) CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities

Bug 1473176 (CVE-2016-7507, CVE-2016-7509) - CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities

Summary: CVE-2016-7507 CVE-2016-7509 glpi: Stored XSS and CSRF vulnerabilities

Keywords:
Status:	CLOSED EOL
Alias:	CVE-2016-7507, CVE-2016-7509
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1473177
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-20 07:59 UTC by Adam Mariš
Modified:	2020-02-28 07:19 UTC (History)
CC List:	2 users (show)
Fixed In Version:	glpi 9.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-28 07:19:16 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2017-07-20 07:59:31 UTC

CVE-2016-7507:

Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows
remote authenticated attackers to submit a request that could lead to
the creation of an admin account in the application.

CVE-2016-7509:

Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote
authenticated attackers to inject arbitrary web script or HTML by
attaching a crafted HTML file to a ticket.

Upstream bug:

https://github.com/glpi-project/glpi/issues/2483

Upstream patch:

https://github.com/glpi-project/glpi/commit/fc9363360a12328057b69a29a9f233f0ab113bf4

Comment 1 Adam Mariš 2017-07-20 07:59:55 UTC

Created glpi tracking bugs for this issue:

Affects: epel-7 [bug 1473177]

Comment 2 Johan Cwiklinski 2020-02-28 07:19:16 UTC

Package no longer present in epel.

Note You need to log in before you can comment on or make changes to this bug.