oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: GLPI, multiple issues

From: Raphael Geissert <geissert () debian org>
Date: Thu, 27 Jun 2013 18:04:51 +0200
Hi,

[CC'ing upstream for complimentary information]

Multiple SQL injections have been reported in GLPI:
http://packetstormsecurity.com/files/122097/GLPI-0.83.8-SQL-Injection.html

(note that the original advisory was hosted at www.zeroscience.mk but
it 404s as of the time of writing)

And a local file inclusion vulnerability was also reported:
http://packetstormsecurity.com/files/122087/GLPI-0.83.7-Parameter-Traversal-Arbitrary-File-Access.html

(same note as for the above issue)

I'm not aware of related commits or bug reports other than the
following (but this is me trying to connect dots):
https://forge.indepnet.net/issues/4372
which was marked as fixed at least in (0.83.9):
https://forge.indepnet.net/projects/glpi/versions/915
But the bug report also refers to the fix in trunk and the 0.85 branch.

Could CVE ids be assigned please?

Note that this is a different request than the one for the one about
the use of unserialize on untrusted data.

Thanks in advance,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Previous By Date Next
Previous By Thread Next

Current thread: