Path traversal in GLPI barcode plugin
Vulnerability disclosed:
- GLPI barcode plugin version <= 2.6.0 suffers from unauthenticated path traversal file read vulnerability that allows reading arbitrary files outside of the plugin directory.
PoC:
Solution:
- Upgrade to barcode plugin version 2.6.1 or above
Advisory: https://github.com/pluginsGLPI/barcode/security/advisories/GHSA-2pjh-h828-wcw9
Reference: CVE-2021-43778
Author: Mateo Hanžek
