CVE-2023-36808

GLPI vulnerable to SQL injection through Computer Virtual Machine information

CVSS 8.6 HIGHEPSS 44.6%CWE-89

In short

GLPI, a free IT management software, has a flaw in its Computer Virtual Machine form that allows attackers to inject malicious SQL commands. This could let an attacker steal, modify, or delete sensitive data from the system.

Technical detail

SQL injection vulnerability exists in the Computer Virtual Machine form processing in GLPI versions 0.80 through 10.0.7, exploitable via inventory requests without proper input sanitization. An attacker with access to submit VM information can execute arbitrary SQL queries, potentially compromising data integrity and confidentiality of the entire database.

Summary generated and translated by AI from the official description.

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected products

glpi-project · glpi

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/glpi-project/glpi/releases/tag/10.0.8 https://github.com/glpi-project/glpi/security/advisories/GHSA-vf5h-jh9q-2gjm