CVE-2025-27514
📋 TL;DR
GLPI versions 9.5.0 through 10.0.18 contain a stored cross-site scripting (XSS) vulnerability in the project kanban feature. Authenticated technicians can inject malicious scripts that execute when other users view the kanban board. This affects all GLPI installations running vulnerable versions.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker with technician access could steal session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full account compromise.
Likely Case
Technician-level users could perform limited session hijacking or deface kanban boards, but full system compromise is unlikely without additional vulnerabilities.
If Mitigated
With proper input validation and output encoding, the impact is limited to visual disruption with no data theft or privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated technician access. The vulnerability is in the project kanban feature where user input is not properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.19
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-jh8j-gqxc-6gqj
Restart Required: No
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 10.0.19 or later from the official repository. 3. Follow the GLPI upgrade documentation to update your installation. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable project kanban feature
allTemporarily disable the project kanban feature to prevent exploitation while planning an upgrade.
Restrict technician permissions
allReview and reduce technician permissions to limit access to project management features.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in project-related requests
- Enable Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check your GLPI version via the web interface (Setup > General > Information) or by examining the GLPI installation files.Check Version:
Check GLPI web interface at /glpi/index.php?redirect=front/central.php or examine inc/define.php fileVerify Fix Applied:
After upgrading, verify the version shows 10.0.19 or higher and test the project kanban feature with safe test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual project kanban modifications
- Suspicious JavaScript in project-related POST requests
- Multiple failed XSS attempts in web server logs
Network Indicators:
- Unusual outbound connections from GLPI server following kanban access
- Suspicious JavaScript payloads in HTTP traffic
SIEM Query:
source="web_server_logs" AND (uri="/glpi/ajax/kanban.php" OR uri CONTAINS "project") AND (message CONTAINS "script" OR message CONTAINS "javascript:" OR message CONTAINS "onerror=" OR message CONTAINS "onload=")