SQL injection for all usage of "Clone" feature.
As an example we based our test on "Rules", but I think it's the same for all object who have "string" field.
', '', 0, (SELECT password FROM glpi_users WHERE name = 'glpi'), 1, '', 1, null, null); #
See applied patch: a4baa64
Apply patch.
Since #6684
If you have any questions or comments about this advisory, please email us at glpi-security at ow2.org
Impact
SQL injection for all usage of "Clone" feature.
As an example we based our test on "Rules", but I think it's the same for all object who have "string" field.
Patches
See applied patch: a4baa64
Workarounds
Apply patch.
References
Since #6684
For more information
If you have any questions or comments about this advisory, please email us at glpi-security at ow2.org