#VU43887 Code Injection in GLPI


Published: 2012-07-12 | Updated: 2020-08-11

Vulnerability identifier: #VU43887

Vulnerability risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-1037

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GLPI
Web applications / CRM systems

Vendor: glpi-project

Description

The vulnerability allows a remote #AU# to read and manipulate data.

PHP remote file inclusion vulnerability in front/popup.php in GLPI 0.78 through 0.80.61 allows remote authenticated users to execute arbitrary PHP code via a URL in the sub_type parameter.

Mitigation
Install update from vendor's website.

Vulnerable software versions

GLPI: 0.78 - 0.80.61

External links
http://seclists.org/fulldisclosure/2012/Feb/157
http://www.mandriva.com/security/advisories?name=MDVSA-2012:016
http://forge.indepnet.net/issues/3338
http://forge.indepnet.net/projects/glpi/repository/revisions/17457/diff/branches/0.80-bugfixes/front/popup.php
http://forge.indepnet.net/projects/glpi/versions/685

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Code Injection in glpi-project GLPI
Fedora EPEL 5 update for glpi
Fedora EPEL 6 update for glpi