GLPI Remote code execution from LDAP server configuration form on PHP 7.4
CVE-2023-46726

7.2HIGH

Key Information:

Vendor
glpi-project
Status
glpi
Vendor
CVE Published:
13 December 2023

Summary

GLPI is a widely used free asset and IT management software. It has been found to have an arbitrary code execution vulnerability within its LDAP server configuration form, specifically affecting versions 10.0.0 to 10.0.10 when running on PHP 7.4. Attackers could exploit this flaw to execute arbitrary code that had previously been uploaded to the system as a GLPI document. It is crucial for users to upgrade to version 10.0.11 or later, where a fix has been implemented to resolve this vulnerability.

Affected Version(s)

glpi >= 10.0.0, < 10.0.11

References

https://github.com/glpi-project/glpi/security/advisories/...
x_refsource_CONFIRM
https://github.com/glpi-project/glpi/commit/42ba2b031bec0...
x_refsource_MISC
https://github.com/glpi-project/glpi/releases/tag/10.0.11
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.