CVE-2023-28849

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-28849

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28849.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-28849

Aliases

GHSA-9r84-jpg3-h4m6

Downstream

UBUNTU-CVE-2023-28849

Published

2023-04-05T17:41:20.945Z

Modified

2026-04-02T08:49:01.015694Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

GLPI vulnerable to SQL injection and Stored XSS via inventory agent request

Details

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79",
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28849.json"
}

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

815997021a5df4feb7077a12f6f52769e9bd3459

Fixed

bce21331d50a020cd0928178a68fe4aac2cc50b4

Affected versions

10.*

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5

10.0.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28849.json"