Lucene search

[email protected]NVD:CVE-2023-28838

HistoryApr 05, 2023 - 6:15 p.m.

CVE-2023-28838

2023-04-0518:15:08

CWE-89

[email protected]

web.nvd.nist.gov

glpi

sql injection

vulnerability

patched

workaround

statistics

reports

webshell

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

36.1%

JSON

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove Assistance > Statistics and Tools > Reports read rights from every user.

Affected configurations

Nvd

Node

glpi-projectglpiRange0.50–9.5.13

glpi-projectglpiRange10.0.0–10.0.7

VendorProductVersionCPE
glpi-projectglpi*cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
glpi-project	glpi	*	cpe:2.3:a:glpi-project:glpi::::::::

References

github.com/glpi-project/glpi/releases/tag/10.0.7

github.com/glpi-project/glpi/releases/tag/9.5.13

github.com/glpi-project/glpi/security/advisories/GHSA-2c7r-gf38-358f

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

36.1%

JSON

Related for NVD:CVE-2023-28838

osv1 cvelist1 ubuntucve1 prion1 cve1 freebsd1 redos1