In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
| Link | Tags |
|---|---|
| https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f | third party advisory patch |
| https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c | third party advisory patch |
| http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.html | vdb entry third party advisory |