Description
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/glpi-project/glpi/security/advisories/GHSA-rrh2-x4ch-pq3m
Release Notes x_refsource_misc
https://github.com/glpi-project/glpi/releases/tag/10.0.10
Scores
CVSS v3
10.0
EPSS
0.0577
EPSS Percentile
90.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
CWE-20
Status
published
Products (1)
glpi-project/glpi
10.0.7 - 10.0.10
Published
Nov 02, 2023
Tracked Since
Feb 18, 2026