Glances is a cross-platform system monitoring tool that provides real-time system metrics via an XML-RPC server interface when started with the -s or --server option. Prior to version 4.5.3, this XML-RPC server responds to all HTTP requests with the header Access-Control-Allow-Origin: *, which allows any origin to access the server's responses through browsers. The vulnerability arises because the XML-RPC handler does not validate the Content-Type header of incoming requests. An attacker can craft a malicious webpage that issues a CORS simple POST request with Content-Type set to text/plain containing a valid XML-RPC payload. Since simple requests do not trigger CORS preflight checks, the browser sends the request directly to the Glances server. The server processes the XML-RPC payload and returns detailed system monitoring data in the response. Due to the wildcard CORS header, the attacker's JavaScript can read this response, effectively exfiltrating sensitive system information. The data exposed includes hostname, operating system version, network interface IP addresses, CPU, memory, disk, and network statistics, and critically, the full list of running processes with their command lines. Command lines often contain sensitive information such as tokens, passwords, or internal file paths, increasing the risk of further compromise. This vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). It requires no authentication but does require the victim to visit a malicious webpage, making it a cross-origin data theft vulnerability. The issue was fixed in Glances version 4.5.3 by restricting the CORS policy and validating request headers appropriately. No known exploits in the wild have been reported as of the publication date.

The vulnerability allows remote attackers to exfiltrate comprehensive system information from vulnerable Glances servers without authentication. This can lead to significant confidentiality breaches, exposing sensitive operational data such as system configuration, network details, and running processes. The exposure of command line arguments is particularly dangerous as it may reveal credentials, tokens, or internal paths, facilitating further attacks such as lateral movement, privilege escalation, or targeted exploitation. Organizations running Glances with the XML-RPC server enabled on publicly accessible or intranet-facing hosts are at risk. The attack requires user interaction (visiting a malicious webpage), so phishing or social engineering could be used to trigger exploitation. The broad data exposure can aid attackers in reconnaissance and planning of subsequent attacks, increasing the overall risk posture. Although no direct integrity or availability impact is described, the confidentiality breach alone is severe. The vulnerability affects all platforms supported by Glances, including Linux, Windows, and macOS, potentially impacting diverse environments. Given the ease of exploitation and sensitive data exposure, the impact is high for affected organizations.

1. Upgrade Glances to version 4.5.3 or later, where the vulnerability is patched with proper CORS policy restrictions and request validation. 2. If upgrading immediately is not possible, disable the XML-RPC server functionality by avoiding the use of the -s or --server options to prevent exposure. 3. Restrict network access to the Glances server interface using firewall rules or network segmentation to limit exposure to trusted hosts only. 4. Implement web application firewall (WAF) rules to detect and block suspicious cross-origin POST requests with XML-RPC payloads targeting the Glances server port. 5. Monitor network traffic and logs for unusual requests to the Glances server, especially POST requests with text/plain Content-Type and XML payloads. 6. Educate users about the risks of visiting untrusted websites that could host malicious scripts exploiting this vulnerability. 7. Review and rotate any credentials or tokens that may have been exposed if exploitation is suspected. 8. Consider deploying Content Security Policy (CSP) headers on internal web portals to reduce the risk of malicious script execution. These steps collectively reduce the attack surface and limit the potential for data exfiltration via this vulnerability.