The Order GLPI plugin allows users to manage order management within GLPI. Starting with version 1.8.0 and prior to versions 2.7.7 and 2.10.1, an authenticated user that has access to standard interface can craft an URL that can be used to execute a system command. Versions 2.7.7 and 2.10.1 contain a patch for this issue. As a workaround, delete the `ajax/dropdownContact.php` file from the plugin.
History

Mon, 10 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-02-10T15:23:39.714Z

Reserved: 2023-03-29T17:39:16.142Z

Link: CVE-2023-29006

cve-icon Vulnrichment

Updated: 2024-08-02T14:00:14.398Z

cve-icon NVD

Status : Modified

Published: 2023-04-05T18:15:08.657

Modified: 2024-11-21T07:56:22.780

Link: CVE-2023-29006

cve-icon Redhat

No data.