CVE-2024-29889

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/glpi-project/glpi/commit/0a6b28be4c0f848106c60b554c703ec2e178d6c7
https://github.com/glpi-project/glpi/security/advisories/GHSA-8xvf-v6vv-r75g

Configurations

No configuration.

History

07 May 2024, 20:07

Type	Values Removed	Values Added
Summary		(es) GLPI es un paquete gratuito de software de gestión de TI y activos. Antes de 10.0.15, un usuario autenticado podía explotar una vulnerabilidad de inyección SQL en la función de búsquedas guardadas para alterar los datos de la cuenta de otro usuario y tomar el control de ella. Esta vulnerabilidad se solucionó en 10.0.15.

07 May 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-07 14:15

Updated : 2024-05-07 20:07

NVD link : CVE-2024-29889

Mitre link : CVE-2024-29889

CVE.ORG link : CVE-2024-29889

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.1 /10