GFI HelpDesk Stored Cross-Site Scripting Vulnerability in Language Management
Vulnerability
A stored cross-site scripting vulnerability has been identified in GFI HelpDesk versions prior to 4.99.9. The issue arises in the language management feature, where the charset POST parameter is sent directly to the SWIFT_Language::Create() function without proper HTML sanitization. This unsanitized data is then rendered by the View_Language.RenderGrid() method. An authenticated administrator can exploit this vulnerability by injecting arbitrary JavaScript into the charset field while creating or editing a language. The injected script executes in the browser of any administrator who views the Languages page.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.
Remediation
Users are advised to upgrade to GFI HelpDesk version 4.99.9 or later, which addresses this vulnerability. The new version can be downloaded from the GFI Upgrade Center.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.