Headline
CVE-2023-46726: Remote code execution from LDAP server configuration form on PHP 7.4
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.
High
trasher published GHSA-qc92-gxc6-5f95
Dec 13, 2023
Affected versions
>= 10.0.0
Description
Impact
On PHP 7.4 only, the LDAP server configuration form can be use to execute arbitrary code previously uploaded as a GLPI document.
Patches
Upgrade to 10.0.11.
Workarounds
Upgrade to PHP 8.x.
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Credits
This vulnerability was discovered by Nikita Petrov (Positive Technologies).
Severity
CVSS base metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H