{"id":"CVE-2021-3486","details":"GLPi 9.5.4 does not sanitize the metadata. This way its possible to insert XSS into plugins to execute JavaScript code.","modified":"2026-04-10T04:34:55.079289Z","published":"2021-05-26T22:15:08.230Z","references":[{"type":"ADVISORY","url":"https://github.com/Kitsun3Sec/exploits/tree/master/cms/GLPI/GLPI-stored-XSS"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1947653"},{"type":"EVIDENCE","url":"https://n3k00n3.github.io/blog/09042021/glpi_xss.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/glpi-project/glpi","events":[{"introduced":"0"},{"last_affected":"59a0a0b6101fcd54b00bfc6a61d4e707513c08c9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.5.4"}]}}],"versions":["0.90","0.90-RC1","0.90-RC2","0.90-beta1","0.90-beta2","9.1","9.1-RC1","9.1-RC2","9.3-beta","9.4.0","9.4.0-beta","9.4.0-rc1","9.4.0-rc2","9.4.1","9.4.1.1","9.5.0","9.5.0-rc1","9.5.0-rc2","9.5.1","9.5.2","9.5.3","9.5.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3486.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}