Vulnerability Description
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | < 9.5.2 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf3PatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qwThird Party Advisory
- https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf3PatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qwThird Party Advisory
FAQ
What is CVE-2020-15176?
CVE-2020-15176 is a vulnerability with a CVSS score of 8.7 (HIGH). In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulner...
How severe is CVE-2020-15176?
CVE-2020-15176 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15176?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.