CVE-2024-43417
📋 TL;DR
CVE-2024-43417 is a reflected cross-site scripting (XSS) vulnerability in GLPI's Software form that allows unauthenticated attackers to inject malicious scripts. When a GLPI technician clicks a specially crafted link, the attacker can execute arbitrary JavaScript in the technician's browser session. This affects all GLPI installations running vulnerable versions.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, install backdoors, or pivot to internal systems.
Likely Case
Session hijacking leading to unauthorized access, data theft, or privilege escalation within the GLPI application.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some risk remains.
🎯 Exploit Status
Exploitation requires social engineering to trick a technician into clicking a malicious link. The vulnerability itself is straightforward to exploit once the link is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.17
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-p633-wfj5-8x44
Restart Required: No
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 10.0.17 from the official repository. 3. Follow the GLPI upgrade documentation to update your installation. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation for the Software form parameters
Modify GLPI source code to sanitize user input in front/software.form.php
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in the Software form
- Disable or restrict access to the Software form for non-essential users
🔍 How to Verify
Check if Vulnerable:
Check if your GLPI version is below 10.0.17 by visiting the About page or checking the version fileCheck Version:
grep -i 'version' glpi/config/config_db.php || cat glpi/inc/define.php | grep GLPI_VERSIONVerify Fix Applied:
Verify the GLPI version is 10.0.17 or higher and test the Software form with safe XSS payloads📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests to software.form.php with script tags or JavaScript payloads
- Multiple failed login attempts following suspicious URL parameters
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in URL parameters to software.form.php endpoint
SIEM Query:
source="web_access.log" AND uri="*software.form.php*" AND (query="*<script>*" OR query="*javascript:*")