CVE-2020-15176
Last modified
CVE-2020-15176 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. EPSS estimates a 1.13% chance of exploitation in the next 30 days.
Description
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | < 9.5.2 |
References
- https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575Patch, Third Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qwThird Party Advisory
- https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575Patch, Third Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qwThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-15176?
How severe is CVE-2020-15176?
How do I fix CVE-2020-15176?
Are you affected by CVE-2020-15176?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST