CVE-2023-28849
Last modified
CVE-2023-28849 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. EPSS estimates a 0.49% chance of exploitation in the next 30 days.
Description
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | >= 10.0.0, < 10.0.7 |
References
- https://github.com/glpi-project/glpi/releases/tag/10.0.7Patch, Release Notes
- https://github.com/glpi-project/glpi/releases/tag/10.0.7Patch, Release Notes
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-28849?
How severe is CVE-2023-28849?
How do I fix CVE-2023-28849?
Are you affected by CVE-2023-28849?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST