[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2024-31705
From: V3locidad <v3locidad () v3locidad ! com>
Date: 2024-04-11 19:28:12
Message-ID: 34536CF3-B088-4C3A-8FA2-1685FE810427 () v3locidad ! com
[Download RAW message or body]
CVE ID: CVE-2024-31705
Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface
Affected Product : GLPI - 10.X.X and last version
Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to \
execute arbitrary code via the insufficient validation of user-supplied input.
Affected Component : A remote code execution (RCE) vulnerability has been identified in the \
'Shell Commands' plugin of GLPI. This vulnerability affects all versions of the software, \
allowing a remote attacker to execute arbitrary code on the system.
Attack Vectors : A remote code execution (RCE) vulnerability has been identified in the 'Shell \
Commands' plugin of the GLPI (Gestionnaire Libre de Parc Informatique) system. This \
vulnerability is present in all versions of the plugin and allows remote attackers to execute \
arbitrary code on the system. The flaw stems from insufficient validation of user-supplied \
input within the plugin's functionality to execute shell commands.
Recommendation: Deactivate the Shell Commands plugin or apply strict restrictions to its \
access, please note that GLPI has already removed it from its marketplace.
Reference : https://github.com/V3locidad/GLPI_POC_Plugins_Shell
Discoverer: Julien Mula / V3locidad
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic