CVE-2023-46726: GLPI Remote code execution from LDAP server configuration form on PHP 7.4
First published: Wed Dec 13 2023(Updated: )
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI | >=10.0.0<10.0.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-46726?
CVE-2023-46726 has been reported with a high severity rating due to its potential for executing arbitrary code.
How do I fix CVE-2023-46726?
To fix CVE-2023-46726, update your GLPI installation to version 10.0.11 or later.
What versions of GLPI are affected by CVE-2023-46726?
CVE-2023-46726 affects GLPI versions starting from 10.0.0 up to but not including 10.0.11.
What specific configuration does CVE-2023-46726 exploit?
CVE-2023-46726 exploits the LDAP server configuration form in GLPI.
What version of PHP is affected by CVE-2023-46726?
CVE-2023-46726 specifically impacts GLPI running on PHP version 7.4.
- agent/type
- agent/event
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/title
- agent/references
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- vendor/glpi-project
- canonical/glpi
- version/glpi/10.0.0