CVE-2024-37149
EUVD-2024-3696610.07.2024, 20:15
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| glpi-project | glpi | 0.85 ≤ 𝑥 < 10.0.16 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| glpi-project | glpi | 0.85 ≤ 𝑥 < 10.0.16 | ADP |
Ubuntu Releases
Common Weakness Enumeration
- CWE-73 - External Control of File Name or PathThe software allows user input to control or influence paths or file names that are used in filesystem operations.
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.