Lucene search

GitHub_MCVELIST:CVE-2023-43813

HistoryDec 13, 2023 - 6:17 p.m.

CVE-2023-43813 glpi Authenticated SQL Injection

2023-12-1318:17:21

CWE-89

GitHub_M

www.cve.org

glpi

sql injection

cve-2023-43813

patched

version 10.0.11

saved search

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.8%

JSON

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

CNA Affected

[
  {
    "vendor": "glpi-project",
    "product": "glpi",
    "versions": [
      {
        "version": ">= 10.0.0, < 10.0.11",
        "status": "affected"
      }
    ]
  }
]

References

github.com/glpi-project/glpi/commit/4bd7f02d940953b9cbc9d285f7544bb0e490e75e

github.com/glpi-project/glpi/releases/tag/10.0.11

github.com/glpi-project/glpi/security/advisories/GHSA-94c3-fw5r-3362

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.8%

JSON

Related for CVELIST:CVE-2023-43813