1736777 – (CVE-2019-1010310) CVE-2019-1010310 glpi: Frame and Form tags Injection in Tools > Reminder > Description section

Bug 1736777 (CVE-2019-1010310) - CVE-2019-1010310 glpi: Frame and Form tags Injection in Tools > Reminder > Description section

Summary: CVE-2019-1010310 glpi: Frame and Form tags Injection in Tools > Reminder > De...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-1010310
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1736778 1736779
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-02 00:31 UTC by Laura Pardo
Modified:	2021-10-27 10:47 UTC (History)
CC List:	1 user (show)
Fixed In Version:	glpi 9.4.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-27 10:47:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2019-08-02 00:31:46 UTC

A vulnerability was found in GLPI 9.3.1. A Frame and Form tags Injection allowing admins to phish user or group of users by putting code in reminder description in the Tools > Reminder > Description section.


References:
https://github.com/glpi-project/glpi/pull/5519

Comment 1 Laura Pardo 2019-08-02 00:32:08 UTC

Created glpi tracking bugs for this issue:

Affects: epel-7 [bug 1736779]
Affects: fedora-29 [bug 1736778]

Note You need to log in before you can comment on or make changes to this bug.