Headline
CVE-2022-31056
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.
SQL injection with _actor parameter in assistance objects
Critical
trasher published GHSA-9q9x-7xxh-w4cg
Jun 28, 2022
Package
glpi (glpi-project/glpi)
Affected versions
>=10.0.0
Patched versions
10.0.2
Description
All assistance form (Ticket/Change/Problem) permits a sql injection on the actor fields
Patches
Upgrade to 10.0.2
For more information
If you have any questions or comments about this advisory:
mail us at [email protected]
Severity
Critical
10.0
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID
CVE-2022-31056
Weaknesses
CWE-89
Credits
- derectus
Related news
GLPI versions 10.0.0 through 10.0.2 suffer from a remote SQL injection vulnerability that can lead to remote code execution.