CVE-2023-29006
CVSS V2 None
CVSS V3 None
Description
The Order GLPI plugin allows users to manage order management within GLPI. Starting with version 1.8.0 and prior to versions 2.7.7 and 2.10.1, an authenticated user that has access to standard interface can craft an URL that can be used to execute a system command. Versions 2.7.7 and 2.10.1 contain a patch for this issue. As a workaround, delete the `ajax/dropdownContact.php` file from the plugin.
Overview
- CVE ID
- CVE-2023-29006
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2023-04-05T18:15:08
- Last Modified Date
- 2023-04-12T15:53:29
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:glpi-project:order:*:*:*:*:*:glpi:*:* | 1 | OR | 1.8.0 | 2.7.7 |
| cpe:2.3:a:glpi-project:order:2.10.0:*:*:*:*:glpi:*:* | 1 | OR |
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/pluginsGLPI/order/commit/c78e64b95e54d5e47d9835984c93049f245b579e | Patch |
| https://github.com/pluginsGLPI/order/security/advisories/GHSA-xfx2-qx2r-3wwm | Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-29006 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29006 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-04-17 04:12:45 | Added to TrackCVE | |||
| 2023-04-17 04:12:47 | Weakness Enumeration | new |