CVE-2018-7562

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 9.2.2

Description A remote code execution issue was discovered, allowing temporary access to an uploaded executable file due to a race condition. The application permits authenticated users to upload files when creating new tickets via the "front/fileupload.php" endpoint. Although this feature is protected by security checks, such as verifying the file's extension, the application still uploads and creates a disallowed file before deleting it in the uploadFiles method in inc/glpiuploaderhandler.class.php.

Recommendations For GLPI versions prior to 9.2.2, update to version 9.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "front/fileupload.php" endpoint to minimize the risk of exploitation. Additionally, restrict the use of the uploadFiles method in inc/glpiuploaderhandler.class.php until a patch is available.