Lucene search

[email protected]CVE-2022-35946

HistorySep 14, 2022 - 6:15 p.m.

CVE-2022-35946

2022-09-1418:15:10

CWE-89

[email protected]

web.nvd.nist.gov

238

glpi

it management

cve-2022-35946

information security

vulnerability

plugin controller

api access

database alteration

upgrade

script removal

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.0%

JSON

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In affected versions request input is not properly validated in the plugin controller and can be used to access low-level API of Plugin class. An attacker can, for instance, alter database data. Attacker must have “General setup” update rights to be able to perform this attack. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should remove the front/plugin.form.php script.

Affected configurations

Vulners

NVD

Node

glpi-projectglpiRange0.72–10.0.3

VendorProductVersionCPE
glpi\-projectglpi*cpe:2.3:a:glpi\-project:glpi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
glpi\-project	glpi	*	cpe:2.3:a:glpi\-project:glpi::::::::

CNA Affected

[
  {
    "product": "glpi",
    "vendor": "glpi-project",
    "versions": [
      {
        "status": "affected",
        "version": ">= 0.72, < 10.0.3"
      }
    ]
  }
]