CVE-2023-28849: GLPI vulnerable to SQL injection and Stored XSS via inventory agent request
First published: Wed Apr 05 2023(Updated: )
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI-PROJECT GLPI | >=10.0.0<10.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-28849?
CVE-2023-28849 is a vulnerability in the GLPI inventory endpoint that allows for SQL injection and XSS attacks.
How severe is CVE-2023-28849?
CVE-2023-28849 has a severity rating of 5.4, which is considered critical.
How does CVE-2023-28849 affect GLPI?
CVE-2023-28849 affects GLPI versions 10.0.0 to 10.0.7.
How can CVE-2023-28849 be exploited?
CVE-2023-28849 can be exploited through the GLPI inventory endpoint by performing SQL injection or XSS attacks.
Is there a fix for CVE-2023-28849?
Yes, the fix for CVE-2023-28849 is available in GLPI version 10.0.7.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/title
- agent/remedy
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/glpi-project
- canonical/glpi-project glpi
- version/glpi-project glpi/10.0.0