CVE-2024-37149

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 10.0.16

Description The issue is related to the GLPI system, which is an open-source asset and IT management software package providing ITIL Service Desk features, licenses tracking, and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. This is due to external control of the file name or path.

Recommendations For versions prior to 10.0.16, upgrade to 10.0.16 to resolve the issue. As a temporary workaround, consider restricting access to the plugin loader to minimize the risk of exploitation.