Description
The Tag plugin for GLPI 11 before 2.14.4 stores the tag name without HTML sanitization and renders it into the Kanban badge markup via PluginTagTag::preKanbanContent() without output escaping, resulting in stored cross-site scripting. An authenticated user with TAG MANAGEMENT create or update rights can set a tag name containing HTML, which then executes in the browser of any user who opens the Kanban view of a ticket, problem, change, or project the tag is attached to.
Problem types
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
2.6.0 (semver) before 2.14.4
Credits
chapochapo
References
github.com/...PI/tag/security/advisories/GHSA-6rpj-89c7-x2mh (GitHub Security Advisory GHSA-6rpj-89c7-x2mh)
github.com/pluginsGLPI/tag/releases/tag/2.14.4 (Tag Plugin 2.14.4 Release)
github.com/pluginsGLPI/tag (Product)
github.com/...ommit/49e6b6eb5f83bcd84139a5e5ec54c0ddd14acc90 (Patch Commit)