CVE-2020-15176

Name of the Vulnerable Software and Affected Versions: GLPI versions prior to 9.5.2

Description: The issue is related to the incorrect neutralization of special elements used in SQL commands, which can allow a remote attacker to execute arbitrary SQL queries to the database in the target system by sending a specially crafted request to the vulnerable application. This can lead to the exfiltration of sensitive information, including passwords, reset tokens, and personal details.

Recommendations: For versions prior to 9.5.2, update to version 9.5.2 or later to resolve the issue. As a temporary workaround, consider restricting input that gets put into SQL queries to prevent SQL Injection. Avoid using back ticks in input that gets put into SQL queries until the issue is resolved.