CVE-2023-46726

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:29

Type Values Removed Values Added
References () https://github.com/glpi-project/glpi/commit/42ba2b031bec0b3889317db25f3adf9080fc11b2 - Patch () https://github.com/glpi-project/glpi/commit/42ba2b031bec0b3889317db25f3adf9080fc11b2 - Patch
References () https://github.com/glpi-project/glpi/releases/tag/10.0.11 - Release Notes () https://github.com/glpi-project/glpi/releases/tag/10.0.11 - Release Notes
References () https://github.com/glpi-project/glpi/security/advisories/GHSA-qc92-gxc6-5f95 - Third Party Advisory () https://github.com/glpi-project/glpi/security/advisories/GHSA-qc92-gxc6-5f95 - Third Party Advisory
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 7.2

18 Dec 2023, 18:59

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-13 19:15

Updated : 2024-11-21 08:29


NVD link : CVE-2023-46726

Mitre link : CVE-2023-46726

CVE.ORG link : CVE-2023-46726


JSON object : View

Products Affected

glpi-project

  • glpi
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')