CVE-2023-28855

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d	Patch
https://github.com/pluginsGLPI/fields/releases/tag/1.13.1	Release Notes
https://github.com/pluginsGLPI/fields/releases/tag/1.20.4	Release Notes
https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:teclib-edition:fields::::::glpi::*
	cpe:2.3:a:teclib-edition:fields::::::glpi::*

History

No history.

Information

Published : 2023-04-05 18:15

Updated : 2024-02-28 20:13

NVD link : CVE-2023-28855

Mitre link : CVE-2023-28855

CVE.ORG link : CVE-2023-28855

JSON object : View

Products Affected

teclib-edition

fields

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2023-28855", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-04-05T18:15:08.583", "references": [{"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue."}], "lastModified": "2023-04-12T16:38:39.363", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:*:glpi:*:*", "vulnerable": true, "matchCriteriaId": "89C87DD6-157A-4B3B-8C3D-F6AFC6FB2C3E", "versionEndExcluding": "1.13.1"}, {"criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:*:glpi:*:*", "vulnerable": true, "matchCriteriaId": "FE8E4B2B-DB2A-4D0F-96AA-651FB7BEE330", "versionEndExcluding": "1.20.4", "versionStartIncluding": "1.20.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}