GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-05T17:39:04.966Z

Updated: 2024-08-02T13:51:38.549Z

Reserved: 2023-03-24T16:25:34.465Z

Link: CVE-2023-28838

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-04-05T18:15:08.383

Modified: 2024-11-21T07:56:07.750

Link: CVE-2023-28838

cve-icon Redhat

No data.