Vulnerability Description
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | >= 10.0.0, < 10.0.7 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/releases/tag/10.0.7PatchRelease Notes
- https://github.com/glpi-project/glpi/security/advisories/GHSA-9r84-jpg3-h4m6Vendor Advisory
- https://github.com/glpi-project/glpi/releases/tag/10.0.7PatchRelease Notes
- https://github.com/glpi-project/glpi/security/advisories/GHSA-9r84-jpg3-h4m6Vendor Advisory
FAQ
What is CVE-2023-28849?
CVE-2023-28849 is a vulnerability with a CVSS score of 10.0 (CRITICAL). GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be use...
How severe is CVE-2023-28849?
CVE-2023-28849 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-28849?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.