GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-04-05T17:39:04.966Z
Updated: 2024-08-02T13:51:38.549Z
Reserved: 2023-03-24T16:25:34.465Z
Link: CVE-2023-28838
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-04-05T18:15:08.383
Modified: 2024-11-21T07:56:07.750
Link: CVE-2023-28838
Redhat
No data.