First published: Wed Apr 05 2023(Updated: )
GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
GLPI-PROJECT GLPI | >=0.84<9.5.13 | |
GLPI-PROJECT GLPI | >=10.0.0<10.0.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-28633.
GLPI is a free asset and IT management software package.
The severity of CVE-2023-28633 is medium with a CVSS score of 5.4.
The affected software is GLPI versions 0.84 to 9.5.13 and 10.0.0 to 10.0.7.
CVE-2023-28633 is a server-side request forgery (SSRF) vulnerability in GLPI that allows an attacker to trigger the RSS autodiscovery feature.
To fix CVE-2023-28633, update GLPI to version 9.5.13 or 10.0.7, depending on the version you are using.
The CWE ID for CVE-2023-28633 is CWE-918.