CVE-2021-21327

🗓️ 08 Mar 2021 17:00:17Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 94 Views🌐 WEB

GLPI before version 9.5.4 allows non-authenticated remote instantiation of objects, impacting platform integrity and third-party plugins

Reporter	Title	Published	Views	Family All 70
0day.today	GLPI 9.5.3 - (fromtype) Unsafe Reflection Vulnerability	8 Mar 202100:00	–	zdt
ALT Linux	Security fix for the ALT Linux 10 package glpi version 9.5.4-alt1	31 Mar 202100:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package glpi version 9.5.4-alt1	14 Apr 202100:00	–	altlinux
Circl	CVE-2021-21327	14 Nov 202406:08	–	circl
CNNVD	GLPI 安全漏洞	8 Mar 202100:00	–	cnnvd
CNVD	Unspecified vulnerability in GLPI (CNVD-2021-17770)	12 Mar 202100:00	–	cnvd
Cvelist	CVE-2021-21327 Unsafe Reflection in getItemForItemtype()	8 Mar 202117:00	–	cvelist
Exploit DB	GLPI 9.5.3 - 'fromtype' Unsafe Reflection	8 Mar 202100:00	–	exploitdb
EUVD	EUVD-2021-8673	3 Oct 202520:07	–	euvd
NVD	CVE-2021-21327	8 Mar 202117:15	–	nvd

NVD

Vulners

Node

glpi-project glpiRange<9.5.4

[
  {
    "product": "glpi",
    "vendor": "glpi-project",
    "versions": [
      {
        "status": "affected",
        "version": "< 9.5.4"
      }
    ]
  }
]

Source	Link
github	www.github.com/glpi-project/glpi/releases/tag/9.5.4
github	www.github.com/glpi-project/glpi/security/advisories/GHSA-qmw7-w2m4-rjwp
packetstormsecurity	www.packetstormsecurity.com/files/161680/GLPI-9.5.3-Unsafe-Reflection.html

Parameter	Position	Path	Description	CWE
fromtype	request body	ajax/dropdownConnect.php	Unsafe reflection: unauthenticated remote object instantiation via getItemForItemtype in GLPI leading to potential code execution.	CWE-470, CWE-862

21 Nov 2024 05:48Current

6.8Medium risk

Vulners AI Score6.8

CVSS 25

CVSS 3.16.8 - 7.5

EPSS0.003

glpi it management asset management software package cve-2021-21327 vulnerability non-authenticated user remote instantiation object instantiation