PT-2023-22081 · Glpi · Order Glpi Plugin

C3L3Si4N

Publicado

2023-04-05

Atualizado

2023-04-12

CVE-2023-29006

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Order GLPI plugin versions 1.8.0 through 2.7.6 Order GLPI plugin versions 2.8.0 through 2.10.0

Description The issue allows an authenticated user with access to the standard interface to craft a URL that can execute a system command.

Recommendations For Order GLPI plugin versions 1.8.0 through 2.7.6, update to version 2.7.7. For Order GLPI plugin versions 2.8.0 through 2.10.0, update to version 2.10.1. As a temporary workaround, consider deleting the ajax/dropdownContact.php file from the plugin.

Exploit

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2023-29006

GHSA-XFX2-QX2R-3WWM

Produtos afetados

Order Glpi Plugin

PT-2023-22081 · Glpi · Order Glpi Plugin

CVE-2023-29006

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5