Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-35946

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In affected versions request input is not properly validated in the plugin controller and can be used to access low-level API of Plugin class. An attacker can, for instance, alter database data. Attacker must have "General setup" update rights to be able to perform this attack. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should remove the `front/plugin.form.php` script.

Published

2022-09-14T18:15:10.563

Last Modified

2024-11-21T07:12:01.533

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-89
Type: Primary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	glpi-project	glpi	< 10.0.3	Yes

References

https://github.com/glpi-project/glpi/commit/f542ec8378afbd8038aeca5975b15eca3f0574c8 Patch, Third Party Advisory ([email protected])
https://github.com/glpi-project/glpi/security/advisories/GHSA-92q5-pfr8-r9r2 Third Party Advisory ([email protected])
https://github.com/glpi-project/glpi/commit/f542ec8378afbd8038aeca5975b15eca3f0574c8 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/glpi-project/glpi/security/advisories/GHSA-92q5-pfr8-r9r2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)