Published: 02/11/2023 Updated: 09/11/2023

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.

Vulnerable Product	Search on Vulmon	Subscribe to Product
glpi-project glpi

GLPI PoC - Security advisory

GLPI-PoC GLPI PoC - Security advisory This repository is used to host our exploitation scripts for the vulnerabilities that have been disclosed to Teclib for the GLPI project The vulnerabilities were patched in 10010 version of GLPI CVE CVE-2023-42461 - SQL injection in ITIL actors CVE-2023-42462 - File deletion through document upload process CVE-2023-42802 - Unallowed PH

CWE-434 https://github.com/glpi-project/glpi/releases/tag/10.0.10 https://github.com/glpi-project/glpi/security/advisories/GHSA-rrh2-x4ch-pq3m https://nvd.nist.gov https://github.com/NH-RED-TEAM/GLPI-PoC

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-42802

Vulnerability Summary

Github Repositories

References

Vulmon Search

About

Products

Connect