SQL Injection Vulnerability in GLPI Plugin Affecting Fields Functionality
CVE-2024-45600

7.7HIGH

Key Information:

Vendor: Pluginsglpi
Status: Fields
Vendor: CVE Published:; 26 December 2024

🔔 Create Pluginsglpi Vulnerability Alert

What is CVE-2024-45600?

The Fields plugin for GLPI, which facilitates the addition of custom fields to item forms, contains a vulnerability that enables an authenticated user to execute SQL injection attacks when the plugin is active. Attackers exploiting this flaw can manipulate SQL queries, potentially leading to unauthorized data access or manipulation. The issue has been addressed in version 1.21.13, making it crucial for users to update to this version to mitigate the risks associated with this vulnerability.

Affected Version(s)

fields < 1.21.13

References

https://github.com/pluginsGLPI/fields/security/advisories...

x_refsource_CONFIRM

https://github.com/pluginsGLPI/fields/commit/eb927b0f084e...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 26, 2024
Vulnerability Reserved
Sep 2, 2024

JSON