[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] CVE-2024-31705
From:       V3locidad <v3locidad () v3locidad ! com>
Date:       2024-04-11 19:28:12
Message-ID: 34536CF3-B088-4C3A-8FA2-1685FE810427 () v3locidad ! com
[Download RAW message or body]

CVE ID: CVE-2024-31705

Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface

Affected Product : GLPI - 10.X.X and last version

Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to \
execute arbitrary code via the insufficient validation of user-supplied input.

Affected Component : A remote code execution (RCE) vulnerability has been identified in the \
'Shell Commands' plugin of GLPI. This vulnerability affects all versions of the software, \
allowing a remote attacker to execute arbitrary code on the system.

Attack Vectors : A remote code execution (RCE) vulnerability has been identified in the 'Shell \
Commands' plugin of the GLPI (Gestionnaire Libre de Parc Informatique) system. This \
vulnerability is present in all versions of the plugin and allows remote attackers to execute \
arbitrary code on the system. The flaw stems from insufficient validation of user-supplied \
input within the plugin's functionality to execute shell commands.

Recommendation: Deactivate the Shell Commands plugin or apply strict restrictions to its \
access, please note that GLPI has already removed it from its marketplace.

Reference : https://github.com/V3locidad/GLPI_POC_Plugins_Shell

Discoverer: Julien Mula / V3locidad
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]