Vulnerability Description
Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | <= 0.85.2 |
References
- http://seclists.org/fulldisclosure/2015/Feb/71
- http://www.glpi-project.org/spip.php?page=annonce&id_breve=338Vendor Advisory
- https://forge.glpi-project.org/issues/5217
- http://seclists.org/fulldisclosure/2015/Feb/71
- http://www.glpi-project.org/spip.php?page=annonce&id_breve=338Vendor Advisory
- https://forge.glpi-project.org/issues/5217
FAQ
What is CVE-2015-7684?
CVE-2015-7684 is a vulnerability with a CVSS score of 9.0 (HIGH). Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessin...
How severe is CVE-2015-7684?
CVE-2015-7684 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-7684?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.