CVE-2023-28838

CRITICAL9.6Injection

Description

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Affected products

glpi-project / glpi>= 0.50, < 9.5.13 – >= 0.50, < 9.5.13
glpi-project / glpi>= 10.0.0, < 10.0.7 – >= 10.0.0, < 10.0.7

References

VENDOR_ADVISORYhttps://github.com/glpi-project/glpi/security/advisories/GHSA-2c7r-gf38-358f
PATCHhttps://github.com/glpi-project/glpi/releases/tag/10.0.7
PATCHhttps://github.com/glpi-project/glpi/releases/tag/9.5.13

Updated 5m ago · 2 sources