CVE-2023-28633

Name of the Vulnerable Software and Affected Versions GLPI versions 0.84 through 9.5.12 GLPI versions 10.0.0 through 10.0.6

Description The issue is related to the usage of RSS feeds in GLPI, which is subject to server-side request forgery (SSRF). When the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered, and this feature does not check the safety or URLs. This can allow a remote attacker to send a specially crafted HTTP request and trick the application into initiating requests to arbitrary systems, potentially gaining access to confidential data located in the local network or sending malicious requests to other servers from the vulnerable system.

Recommendations For GLPI versions 0.84 through 9.5.12, update to version 9.5.13 to resolve the issue. For GLPI versions 10.0.0 through 10.0.6, update to version 10.0.7 to resolve the issue. As a temporary workaround, consider disabling the RSS autodiscovery feature until a patch is available. Restrict access to the RSS feed functionality to minimize the risk of exploitation.