Lucene search

FreeBSDB7ABDB0F-3B15-11EB-AF2A-080027DBE4B7

HistoryJun 25, 2020 - 12:00 a.m.

glpi -- Multiple SQL Injections Stemming From isNameQuoted()

2020-06-2500:00:00

vuxml.freebsd.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

44.6%

JSON

MITRE Corporation reports:

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchglpi< 9.5.2,1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	glpi	< 9.5.2,1	UNKNOWN

References

github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575

github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

8.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

44.6%

JSON

Related for B7ABDB0F-3B15-11EB-AF2A-080027DBE4B7