Detections
Analytics

CVE-2023-28849

medium

Description

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-9r84-jpg3-h4m6

https://github.com/glpi-project/glpi/releases/tag/10.0.7

Details

Source: Mitre, NVD

Published: 2023-04-05

Updated: 2023-04-12

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00965