CVE-2023-41320
Account takeover via SQL Injection in UI layout preferences in GLPI
In short
GLPI has a SQL injection flaw in its UI layout preferences feature that allows attackers to take over administrator accounts. An attacker can exploit this vulnerability to gain full control of the system.
Technical detail
A SQL injection vulnerability exists in GLPI's UI layout preferences management functionality, allowing unauthenticated or low-privileged attackers to inject malicious SQL queries. This injection can be leveraged to extract and modify sensitive data, including administrator credentials, leading to account takeover and complete system compromise.
Summary generated and translated by AI from the official description.
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected products
glpi-project · glpiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →