Lucene search

Ubuntu.comUB:CVE-2023-28852

HistoryApr 05, 2023 - 12:00 a.m.

CVE-2023-28852

2023-04-0500:00:00

ubuntu.com

cve-2023-28852

glpi

asset management

it management

software

dashboard administration

vulnerability

patch

malicious code

unix

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

25.7%

JSON

GLPI is a free asset and IT management software package. Starting in
version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with
dashboard administration rights may hack the dashboard form to store
malicious code that will be executed when other users will use the related
dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

OSVersionArchitecturePackageVersionFilename
ubuntu16.04noarchglpi< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	16.04	noarch	glpi	< any	UNKNOWN

References

github.com/glpi-project/glpi/releases/tag/10.0.7

github.com/glpi-project/glpi/releases/tag/9.5.13

github.com/glpi-project/glpi/security/advisories/GHSA-65gq-p8hg-7m92

launchpad.net/bugs/cve/CVE-2023-28852

nvd.nist.gov/vuln/detail/CVE-2023-28852

security-tracker.debian.org/tracker/CVE-2023-28852

www.cve.org/CVERecord?id=CVE-2023-28852