Skip to content

SQL injection on addme_observer and addme_assign

High
trasher published GHSA-344w-34h9-wwhh May 5, 2020

Package

glpi-project/glpi

Affected versions

9.4.5

Patched versions

9.4.6

Description

Impact

SQL injection for all helpdesk instances.

On an existing ticket :

  • save a sql injection in text field (like textarea for description):
    description ', name='inject title
  • save the ticket.
  • click on addme_assign or addme_observer buttons -> Sql injection triggers

Severity not critical, as vulnerability requires technician account.

Patches

Fixed in ebca9b1

References

since 4f7b489

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2020-11032

Weaknesses

No CWEs