Lucene search

GitHub_MCVELIST:CVE-2023-28855

HistoryApr 05, 2023 - 5:48 p.m.

CVE-2023-28855 Fields GLPI plugin vulnerable to unauthorized write access to additional fields

2023-04-0517:48:22

CWE-269

GitHub_M

www.cve.org

cve-2023-28855

glpi

unauthorized access

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

25.4%

JSON

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.

CNA Affected

[
  {
    "vendor": "pluginsGLPI",
    "product": "fields",
    "versions": [
      {
        "version": "< 1.13.1",
        "status": "affected"
      },
      {
        "version": ">= 1.20.0, < 1.20.4",
        "status": "affected"
      }
    ]
  }
]

References

github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d

github.com/pluginsGLPI/fields/releases/tag/1.13.1

github.com/pluginsGLPI/fields/releases/tag/1.20.4

github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

25.4%

JSON

Related for CVELIST:CVE-2023-28855