CVE-2023-46726
HIGHGLPI 10.0.0-10.0.10 - Remote Code Execution via LDAP Server Configuration Form
Title source: llmDescription
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/glpi-project/glpi/security/advisories/GHSA-qc92-gxc6-5f95
Patch x_refsource_misc
https://github.com/glpi-project/glpi/commit/42ba2b031bec0b3889317db25f3adf9080fc11b2
Release Notes x_refsource_misc
https://github.com/glpi-project/glpi/releases/tag/10.0.11
Scores
CVSS v3
7.2
EPSS
0.0126
EPSS Percentile
65.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-74
Status
published
Products (1)
glpi-project/glpi
10.0.0 - 10.0.11
Published
Dec 13, 2023
Tracked Since
Feb 18, 2026