CVE-2023-42461

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
glpi-projectglpi
10.0.0 ≤
𝑥
< 10.0.10
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
glpi-projectglpi
10.0.0 ≤
𝑥
< 10.0.10
ADP
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
glpi
focal
dne
jammy
dne
noble
dne
oracular
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w
https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w