CVE-2014-8360

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 0.84.8

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot underscore) in an item type to the getItemForItemtype. This can be demonstrated by the itemtype parameter in "ajax/common.tabs.php".

Recommendations For versions prior to 0.84.8, update to version 0.84.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the getItemForItemtype function and the itemtype parameter in "ajax/common.tabs.php" to minimize the risk of exploitation.