PT-2015-4032 · Teclib+1 · Glpi+1

Published

2014-10-20

Updated

2015-04-15

CVE-2014-8360

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 0.84.8

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot underscore) in an item type to the getItemForItemtype. This can be demonstrated by the itemtype parameter in "ajax/common.tabs.php".

Recommendations For versions prior to 0.84.8, update to version 0.84.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the getItemForItemtype function and the itemtype parameter in "ajax/common.tabs.php" to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2014-2285

CVE-2014-8360

MGASA-2015-0017

Affected Products

Alt Linux

Glpi

PT-2015-4032 · Teclib+1 · Glpi+1

CVE-2014-8360

Weakness Enumeration

Related Identifiers

Affected Products

References · 23