In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
                
            References
                    | Link | Resource | 
|---|---|
| https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575 | Patch Third Party Advisory | 
| https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw | Third Party Advisory | 
| https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575 | Patch Third Party Advisory | 
| https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw | Third Party Advisory | 
Configurations
                    History
                    No history.
Information
                Published : 2020-10-07 19:15
Updated : 2024-11-21 05:05
NVD link : CVE-2020-15176
Mitre link : CVE-2020-15176
CVE.ORG link : CVE-2020-15176
JSON object : View
Products Affected
                glpi-project
- glpi
CWE
                
                    
                        
                        CWE-89
                        
            Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
