CVE-2023-28838

2023-04-0518:15:08

CWE-89

GitHub_M

web.nvd.nist.gov

glpi

version

sql injection

vulnerability

statistics

reports

patch

webshell

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

AI Score

8.3

Confidence

High

EPSS

0.001

Percentile

36.1%

JSON

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove Assistance > Statistics and Tools > Reports read rights from every user.

Affected configurations

Nvd

Vulners

Node

glpi-projectglpiRange0.50–9.5.13

glpi-projectglpiRange10.0.0–10.0.7

VendorProductVersionCPE
glpi-projectglpi*cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
glpi-project	glpi	*	cpe:2.3:a:glpi-project:glpi::::::::

CNA Affected

[
  {
    "vendor": "glpi-project",
    "product": "glpi",
    "versions": [
      {
        "version": ">= 0.50, < 9.5.13",
        "status": "affected"
      },
      {
        "version": ">= 10.0.0, < 10.0.7",
        "status": "affected"
      }
    ]
  }
]