GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:NGlpi Project Glpi
APPGlpi-Project0.50 – 9.5.13 (bez)10.0.0 – 10.0.7 (bez)
Related vulnerabilities
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code inje...
GLPI: Template Injection prowadzący do RCE przez konto administratora
GLPI: Kradzież sesji przez nieuauthoryzowany dostęp do identyfikatorów sesji
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0....
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0....