← back
CVE-2021-39210

Autologin cookie accessible by scripts

CVSS 6.5 MEDIUMEPSS 1.0%CWE-1004
In short

GLPI's 'remember me' feature stores a login cookie that can be accessed by browser scripts, allowing malicious plugins to steal it and impersonate users. This affects versions before 9.5.6.

Technical detail

The autologin cookie in GLPI is set without the HttpOnly flag, making it accessible to JavaScript. A malicious plugin or XSS payload can exfiltrate this cookie and use it to forge authenticated sessions without user interaction. The vulnerability requires either a malicious plugin installation or an XSS vector on the same domain.

Summary generated and translated by AI from the official description.
GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
glpi-project · glpi

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/glpi-project/glpi/releases/tag/9.5.6https://github.com/glpi-project/glpi/security/advisories/GHSA-hwxq-4c5f-m4v2https://huntr.dev/bounties/b2e99a41-b904-419f-a274-ae383e4925f2/