CVE-2021-21313
- Source
- https://cve.org/CVERecord?id=CVE-2021-21313
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21313.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-21313
- Downstream
- Related
- Published
- 2021-03-03T20:15:12.200Z
- Modified
- 2026-03-14T14:50:21.868901Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not properly sanitized. Here are two payloads (due to two different exploitations depending on which parameter you act) to exploit the vulnerability:/ajax/common.tabs.php?_target=javascript:alert(document.cookie)&_itemtype=DisplayPreference&glpitab=DisplayPreference$2&id=258&displaytype=Ticket (Payload triggered if you click on the button). /ajax/common.tabs.php?_target=/front/ticket.form.php&_itemtype=Ticket&glpitab=Ticket$1&id=(){};(function%20(){alert(document.cookie);})();function%20a&#.
- References