CVE-2023-28855

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Fields versions prior to 1.13.1 Fields versions prior to 1.20.4

Description The issue is related to a lack of access control check in the Fields plugin for GLPI, allowing any authenticated user to write data to any fields container, including those to which they have no configured access. This could potentially be exploited by an attacker to record data in any container.

Recommendations For versions prior to 1.13.1, update to version 1.13.1 or later to resolve the issue. For versions prior to 1.20.4, update to version 1.20.4 or later to resolve the issue.

Exploit

Fix

Improper Authorization

Incorrect Authorization

SSRF

SQL injection

Improper Privilege Management

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-863CWE-918CWE-89CWE-269CWE-79

Related Identifiers

BDU:2023-03380

BDU:2023-03381

BDU:2023-03382

BDU:2023-03385

BDU:2023-03386

BDU:2023-03387

BDU:2023-03388

BDU:2023-03389

BDU:2023-03415

CVE-2023-28855

GHSA-52VV-HM4X-8584

Affected Products

Fields

Red Os

CVE-2023-28855

Weakness Enumeration

Related Identifiers

Affected Products

References · 33