Mmnhack

**Name of the Vulnerable Software and Affected Versions** GLPI versions 10.0.7 through 10.0.9 **Description** GLPI is a free asset and IT management software package. An unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. **Recommendations** For versions 10.0.7 through 10.0.9, update to version 10.0.10 to fix the issue. As a temporary workaround, remove write access on `/ajax` and `/front` files to the web server.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.10 **Description** The issue is related to the use of the ITIL actors input field from the ticket form, which can be exploited to perform a SQL injection. This allows a remote attacker to potentially capture an administrator account by sending a specially crafted SQL query. GLPI is a free asset and IT management software package that provides ITIL service desk features, licenses tracking, and software auditing. **Recommendations** For versions prior to 10.0.10, upgrade to version 10.0.10 to resolve the issue. As a temporary workaround, consider restricting access to the ITIL actors input field from the ticket form to minimize the risk of exploitation. Avoid using the `ITIL actors input field` in the affected ticket form until the issue is resolved.