GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.
References
Link | Resource |
---|---|
https://github.com/glpi-project/glpi/releases/tag/10.0.7 | Patch Release Notes |
https://github.com/glpi-project/glpi/security/advisories/GHSA-9r84-jpg3-h4m6 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-04-05T17:41:20.945Z
Updated: 2023-04-05T17:41:20.945Z
Reserved: 2023-03-24T16:25:34.467Z
Link: CVE-2023-28849
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-04-05T18:15:08.447
Modified: 2023-04-12T16:50:14.953
Link: CVE-2023-28849
JSON object: View
Redhat Information
No data.