Home > Vulnerability Database > CVE-2023-42802

Mend.io Vulnerability Database

CVE-2023-42802

Date: November 2, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on "/ajax" and "/front" files to the web server.

Language: PHP

Severity Score

10.0

Related Resources (4)

Url: https://github.com/glpi-project/glpi/releases/tag/10.0.10

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-42802

Url: https://github.com/glpi-project/glpi/security/advisories/GHSA-rrh2-x4ch-pq3m

Url: https://www.mend.io/vulnerability-database/CVE-2023-42802

Severity Score

10.0

Weakness Type (CWE)

Improper Input Validation

CWE-20

Unrestricted Upload of File with Dangerous Type

CWE-434

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-42802

Date: November 2, 2023

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?