CVE-2024-45611 – This vulnerability allows authenticated GLPI us... (How to Fix)

Q: What is the severity of CVE-2024-45611?

CVE-2024-45611 has a CVSS score of 5.7 (MEDIUM). This vulnerability allows authenticated GLPI users to bypass access controls and create private RSS feeds attached to other user accounts. Attackers can inject malicious JavaScript payloads that trigger stored cross-site scripting (XSS) attacks when victims view the compromised feeds. All GLPI instances running vulnerable versions are affected.

📋 TL;DR

This vulnerability allows authenticated GLPI users to bypass access controls and create private RSS feeds attached to other user accounts. Attackers can inject malicious JavaScript payloads that trigger stored cross-site scripting (XSS) attacks when victims view the compromised feeds. All GLPI instances running vulnerable versions are affected.

💻 Affected Systems

Products:

GLPI

Versions: Versions before 10.0.17

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; RSS feed functionality must be enabled.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal session cookies, perform actions as other users, escalate privileges, or deploy malware to victim browsers.

🟠

Likely Case

Attackers will steal authenticated sessions to gain unauthorized access to sensitive IT asset data or perform limited administrative actions.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payload would be neutralized, limiting impact to access control bypass only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses simple XSS payloads with access control bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.17

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-j73h-x6j3-m479

Restart Required: No

Instructions:

1. Backup your GLPI database and files. 2. Download GLPI 10.0.17 from official sources. 3. Follow the GLPI upgrade documentation. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable RSS Feed Functionality

all

Temporarily disable RSS feed creation to prevent exploitation while planning upgrade.

Implement WAF Rules

all

Deploy web application firewall rules to block XSS payloads in RSS feed parameters.

🧯 If You Can't Patch

Restrict user permissions to minimize authenticated users who could exploit this vulnerability.
Implement Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check GLPI version in Administration > General > Information, or examine the GLPI source code for version markers.

Check Version:

php -r "include('config/config_db.php'); echo 'GLPI version: ' . GLPI_VERSION;"

Verify Fix Applied:

Confirm version is 10.0.17 or later and test RSS feed creation with XSS payloads to ensure they're sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual RSS feed creation events
JavaScript payloads in GLPI logs
Multiple failed access attempts to other user accounts

Network Indicators:

Suspicious POST requests to RSS feed endpoints with script tags
Unexpected outbound connections from GLPI server

SIEM Query:

source='glpi_logs' AND (event='rss_feed_creation' OR message LIKE '%<script%')

📊 Metadata

CVE ID: CVE-2024-45611

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-79

Published: November 15, 2024

Last Updated: November 19, 2024

🔗 References

https://github.com/glpi-project/glpi/security/advisories/GHSA-j73h-x6j3-m479 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45611, you might also want to check these: