PT-2023-3282 · Glpi+1 · Fields+1

Pftpz

Publicado

2023-04-05

Atualizado

2023-06-19

CVE-2023-28855

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Fields versions prior to 1.13.1 Fields versions prior to 1.20.4

Description The issue is related to a lack of access control check in the Fields plugin for GLPI, allowing any authenticated user to write data to any fields container, including those to which they have no configured access. This could potentially be exploited by an attacker to record data in any container.

Recommendations For versions prior to 1.13.1, update to version 1.13.1 or later to resolve the issue. For versions prior to 1.20.4, update to version 1.20.4 or later to resolve the issue.

Exploit

Correção

Improper Authorization

Incorrect Authorization

SSRF

SQL injection

Improper Privilege Management

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-285CWE-863CWE-918CWE-89CWE-269CWE-79

Identificadores relacionados

BDU:2023-03380

BDU:2023-03381

BDU:2023-03382

BDU:2023-03385

BDU:2023-03386

BDU:2023-03387

BDU:2023-03388

BDU:2023-03389

BDU:2023-03415

CVE-2023-28855

GHSA-52VV-HM4X-8584

Produtos afetados

Fields

Red Os

PT-2023-3282 · Glpi+1 · Fields+1

CVE-2023-28855

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 33