CVE-2023-28838

Name of the Vulnerable Software and Affected Versions GLPI versions 0.50 through 9.5.12 GLPI versions 10.0.0 through 10.0.6

Description The issue is related to a SQL Injection vulnerability that allows users with access rights to statistics or reports to extract all data from the database and, in some cases, write a webshell on the server. This vulnerability is caused by insufficient cleaning of user data in the GLPI inventory endpoint, allowing a user to send a specially crafted request to the affected application and execute arbitrary SQL commands in the application's database. Exploitation of this vulnerability may allow a remote attacker to read, delete, or modify data in the database and gain full control over the vulnerable application.

Recommendations For GLPI versions 0.50 through 9.5.12, update to version 9.5.13 to resolve the issue. For GLPI versions 10.0.0 through 10.0.6, update to version 10.0.7 to resolve the issue. As a temporary workaround, consider removing Assistance > Statistics and Tools > Reports read rights from every user to minimize the risk of exploitation.