The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request.

The GLPI project reports :

The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request.

New major version of GLPI and plugins.

For more information, see announcement on http://www.glpi-project.org/spip.php?lang=en

This update also include a security fix.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes a database information disclosure vulnerability in GLPI (Advisory not yet published).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
57910	FreeBSD : glpi -- remote attack via crafted POST request (7c769c89-53c2-11e1-8e52-00163e22ef61)	Nessus	FreeBSD Local Security Checks	medium
55843	Fedora 14 : glpi-0.78.5-2.svn14966.fc14 / glpi-data-injection-2.0.2-1.fc14 / etc (2011-9690)	Nessus	Fedora Local Security Checks	medium
55760	Fedora 15 : glpi-0.78.5-2.svn14966.fc15 (2011-9639)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2011-2720

high

Tenable Plugins

medium

medium

medium