PT-2023-6823 · Glpi+2 · Glpi+2
Guilhem7
·
Published
2023-09-26
·
Updated
2024-05-22
·
CVE-2023-41320
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
GLPI versions prior to 10.0.10
Description
The issue is related to the management of UI layout preferences in GLPI, which can be hijacked to lead to SQL injection. This injection can be used to take over an administrator account. The vulnerability is associated with incorrect neutralization of special elements used in SQL commands, allowing a remote attacker to capture an administrator account.
Recommendations
For versions prior to 10.0.10, users are advised to upgrade to version 10.0.10.
As a temporary workaround, consider restricting access to the UI layout preferences management feature until a patch is available.
Avoid using the vulnerable UI layout preferences management feature in the affected software until the issue is resolved.
At the moment, there is no information about other workarounds for this vulnerability.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Glpi
Red Os