GLPI, Cross-Site Scripting (XSS), CVE-2025-21627 (Critical)

By /

How the CVE Works:

CVE-2025-21627 is a critical reflected Cross-Site Scripting (XSS) vulnerability in GLPI, an open-source IT asset management software. The vulnerability exists in versions prior to 10.0.18 and allows an attacker to inject malicious JavaScript code into the search page. When anonymous ticket creation is enabled, an unauthenticated user can craft a malicious link containing the payload. If a victim clicks the link, the script executes in their browser, potentially leading to session hijacking, data theft, or unauthorized actions within the application. The issue arises due to improper sanitization of user-supplied input in the search functionality. Version 10.0.18 addresses this by implementing proper input validation and output encoding.

DailyCVE Form:

Platform: GLPI
Version: <10.0.18
Vulnerability: Reflected XSS
Severity: Critical
Date: 02/25/2025

What Undercode Say:

Exploitation:

  1. Craft a malicious URL with a JavaScript payload in the search parameter.
    Example: `https:///glpi/search?query=`
    2. Send the link to a victim or embed it in a phishing email.
  2. When the victim clicks the link, the payload executes in their browser.

Protection:

1. Upgrade to GLPI version 10.0.18 or later.

2. Disable anonymous ticket creation if not required.

  1. Implement Content Security Policy (CSP) headers to mitigate XSS risks.

Example CSP: `Content-Security-Policy: default-src ‘self’; script-src ‘self’;`

  1. Use web application firewalls (WAFs) to filter malicious input.

Commands:

1. Check GLPI version:

cat /path/to/glpi/inc/define.php | grep "GLPI_VERSION"

2. Update GLPI:

wget https://github.com/glpi-project/glpi/releases/download/10.0.18/glpi-10.0.18.tgz
tar -xzvf glpi-10.0.18.tgz
sudo mv glpi /var/www/html/

3. Verify CSP headers:

curl -I https://<target> | grep "Content-Security-Policy"

URLs:

  1. GLPI GitHub Repository: https://github.com/glpi-project/glpi
  2. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-21627
  3. XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

Analytics:

  • Affected Systems: GLPI installations with versions <10.0.18.
  • Risk Level: Critical due to unauthenticated exploitation potential.
  • Mitigation Adoption: Immediate upgrade recommended for all users.

    References:

    Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-21627
    Extra Source Hub:
    Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top