Fedora has issued an advisory on March 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7TJDOAMV55BUNNNCAGCK5URQZEMUH53/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patch available from Fedora
Fixed in glpi-9.1.6-2.1.mga6 by Guillaume on May 5.
Assignee: guillomovitch => qa-bugsCC: (none) => guillomovitchVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
MGA6-32 on IBM Thinkpad R50e MATE No installation issues. After making sure httpd and mysqld run, pointing to http://localhost/glpi got the installer going. Using the default names as per bug 21331 Comment 4, the whole installation went OK, and i was able to login as user "normal" and see my (empty) planning. Did not go any further as this seems really system admin terrain. OK for me, unless some real sysadmin wants to have a go at it. And BTW, it does not seem to break anything else.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Validating. Advisory needed or this one please David
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory: ======================== Updated glpi package fixes security vulnerability: An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query string to front/preference.php. An attacker is able to create a malicious URL that, if opened by an authenticated user with debug privilege, will execute JavaScript code supplied by the attacker. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes (CVE-2018-7563). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7563 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7TJDOAMV55BUNNNCAGCK5URQZEMUH53/
Thanks David
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0272.html
Status: NEW => RESOLVEDResolution: (none) => FIXED