vulnerability

Ubuntu: (CVE-2020-15177): glpi vulnerability

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	Oct 7, 2020	Jun 26, 2025	Aug 18, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Oct 7, 2020

Added

Jun 26, 2025

Modified

Aug 18, 2025

Description

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.

Solution

no-fix-ubuntu-package

References

CVE-2020-15177
https://attackerkb.com/topics/CVE-2020-15177
CWE-79
URL-https://github.com/glpi-project/glpi/commit/a8109d4ee970a222faf48cf48fae2d2f06465796
URL-https://www.cve.org/CVERecord?id=CVE-2020-15177

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today