Humberto Cabrera

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 0.83.9 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `users id assign` parameter to "ajax/ticketassigninformation.php", the `filename` parameter to "front/document.form.php", or the `table` parameter to "ajax/comments.php". **Recommendations** For versions prior to 0.83.9, update to version 0.83.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints "ajax/ticketassigninformation.php", "front/document.form.php", and "ajax/comments.php" until the update is applied. Avoid using the `users id assign`, `filename`, and `table` parameters in the respective affected endpoints until the issue is resolved.