SB2014051409 - Multiple vulnerabilities in glpi-project GLPI
Published: May 14, 2014 Updated: September 15, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2013-2225)
The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php. Per: http://cwe.mitre.org/data/definitions/502.html "CWE-502: Deserialization of Untrusted Data"
2) SQL injection (CVE-ID: CVE-2013-2226)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to ajax/comments.php. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
References
- http://osvdb.org/94683
- http://seclists.org/oss-sec/2013/q2/626
- http://seclists.org/oss-sec/2013/q2/645
- http://www.exploit-db.com/exploits/26530
- http://www.securityfocus.com/bid/60823
- https://forge.indepnet.net/projects/glpi/repository/revisions/21169/diff
- http://www.glpi-project.org/spip.php?page=annonce&id_breve=297&lang=en&debut_autres_breves=
- http://www.securityfocus.com/bid/60693
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5146.php