FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

glpi -- Multiple SQL Injections Stemming From isNameQuoted()

Affected packages
glpi < 9.5.2,1

Details

VuXML ID b7abdb0f-3b15-11eb-af2a-080027dbe4b7
Discovery 2020-06-25
Entry 2020-06-25
Modified 2024-04-25

MITRE Corporation reports:

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2

References

CVE Name CVE-2020-15176
URL https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575
URL https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw