CVE-2021-3486: 
GLPI vulnerability analysis and mitigation

GLPi version 9.5.4 contains a stored cross-site scripting (XSS) vulnerability due to insufficient sanitization of metadata in plugins. The vulnerability was discovered in April 2021 and assigned identifier CVE-2021-3486. The affected software component is the plugin management functionality in GLPi 9.5.4 (GitHub Advisory, RedHat Bugzilla).

The vulnerability exists because GLPi 9.5.4 does not properly sanitize metadata fields in plugins, such as author, version, and license information. During the plugin installation process, GLPi reads the setup.php file from plugins to display this information. The application directly concatenates these metadata values into HTML without proper validation or sanitization, allowing for the injection of malicious JavaScript code (Security Blog). The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the plugin management interface. This could lead to theft of privileged account credentials, particularly targeting technical users who have access to the administration page and database management capabilities (Security Blog).

The vulnerability has been fixed in GLPi version 9.5.5. Users should upgrade to this version or later to protect against this vulnerability (RedHat Bugzilla).