Published: 08/03/2021 Updated: 16/03/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Summary

GLPI GLPI could allow a remote malicious user to bypass security restrictions, caused by a flaw when passing an existing class as an input of the getItemForItemtype() function. By sending a specially-crafted request, an attacker could exploit this vulnerability to remotely instantiate object of any class existing in the GLPI environment.

Most Upvoted Vulmon Research Post

CVE-2021-21327 recently found in GLPI by Iterasec allows remote PHP objects instantiation Technical writeup and exploit included for research purposes: https://iterasec.com/cve-2021-21327-unsafe-reflection-in-getitemforitemtype-in-glpi/

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

glpi-project glpi

Mailing Lists

GLPI versions 953 and below suffer from a fromtype unsafe reflection vulnerability ...