{"id":"MGASA-2020-0220","summary":"Updated glpi packages fix security vulnerabilities","details":"Updated glpi packages fix security vulnerabilities:\n\nIn GLPI from version 9.1 and before version 9.4.6, any API user with READ\nright on User itemtype will have access to full list of users when querying\napirest.php/User. The response contains: - All api_tokens which can be used\nto do privileges escalations or read/update/delete data normally non\naccessible to the current user. - All personal_tokens can display another\nusers planning. Exploiting this vulnerability requires the api to be\nenabled, a technician account. It can be mitigated by adding an application\ntoken (CVE-2020-11033).\n\nIn GLPI before version 9.4.6, there is a vulnerability that allows\nbypassing the open redirect protection based which is based on a regexp\n(CVE-2020-11034).\n\nIn GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are\ngenerated using an insecure algorithm. The implementation uses rand and\nuniqid and MD5 which does not provide secure values (CVE-2020-11035).\n\nIn GLPI before version 9.4.6 there are multiple related stored XSS\nvulnerabilities. The package is vulnerable to Stored XSS in the comments of\nitems in the Knowledge base. Adding a comment with content \"\u003cscript\u003ealert(1)\n\u003c/script\u003e\" reproduces the attack. This can be exploited by a user with\nadministrator privileges in the User-Agent field. It can also be exploited\nby an outside party through the following steps: 1. Create a user with the\nsurname `\" onmouseover=\"alert(document.cookie)` and an empty first name. 2.\nWith this user, create a ticket 3. As an administrator (or other privileged\nuser) open the created ticket 4. On the \"last update\" field, put your mouse\non the name of the user 5. The XSS fires (CVE-2020-11036).\n","modified":"2026-04-16T00:12:37.144467045Z","published":"2020-05-24T18:04:47Z","upstream":["CVE-2020-11033","CVE-2020-11034","CVE-2020-11035","CVE-2020-11036"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0220.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26625"},{"type":"ADVISORY","url":"https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55"},{"type":"ADVISORY","url":"https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg"},{"type":"ADVISORY","url":"https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf"},{"type":"ADVISORY","url":"https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/"}],"affected":[{"package":{"name":"glpi","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/glpi?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.4.5-1.2.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0220.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}