CVE-2023-36808

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GLPI versions 0.80 through 10.0.7

Description The issue is related to a lack of protection against SQL injection attacks in the GLPI system, which manages IT assets and inventory. This can be exploited by a remote attacker to execute arbitrary code. The Computer Virtual Machine form and GLPI inventory request are specifically vulnerable to this type of attack.

Recommendations For versions 0.80 through 10.0.7, update to version 10.0.8 to apply the patch for this issue. As a temporary workaround for versions 0.80 through 10.0.7, consider disabling native inventory to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2023-4552

ALT-PU-2023-7633

ALT-PU-2024-8030

BDU:2023-04591

CVE-2023-36808

GHSA-VF5H-JH9Q-2GJM

Affected Products

Alt Linux

Glpi

Red Os

CVE-2023-36808

Weakness Enumeration

Related Identifiers

Affected Products

References · 13