oss-sec mailing list archives
CVE request: GLPI, multiple issues
From: Raphael Geissert <geissert () debian org>
Date: Thu, 27 Jun 2013 18:04:51 +0200
Hi, [CC'ing upstream for complimentary information] Multiple SQL injections have been reported in GLPI: http://packetstormsecurity.com/files/122097/GLPI-0.83.8-SQL-Injection.html (note that the original advisory was hosted at www.zeroscience.mk but it 404s as of the time of writing) And a local file inclusion vulnerability was also reported: http://packetstormsecurity.com/files/122087/GLPI-0.83.7-Parameter-Traversal-Arbitrary-File-Access.html (same note as for the above issue) I'm not aware of related commits or bug reports other than the following (but this is me trying to connect dots): https://forge.indepnet.net/issues/4372 which was marked as fixed at least in (0.83.9): https://forge.indepnet.net/projects/glpi/versions/915 But the bug report also refers to the fix in trunk and the 0.85 branch. Could CVE ids be assigned please? Note that this is a different request than the one for the one about the use of unserialize on untrusted data. Thanks in advance, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: GLPI, multiple issues Raphael Geissert (Jun 27)
- Re: CVE request: GLPI, multiple issues Kurt Seifried (Jun 30)