Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36112: Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.

CVE
Open in Source
#ssrf

Low

trasher published GHSA-rqgx-gqhp-x8vv

Sep 14, 2022

Package

glpi (glpi-project)

Affected versions

<10.0.3

Description

Impact

Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit.
Server-side requests can be used to scan server port or services opened on GLPI server or its private network.
Queries responses are not exposed to end-user (blind SSRF).

For more information

If you have any questions or comments about this advisory:
mail us at [email protected]

Severity

CVSS base metrics

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Weaknesses

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE