[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] CVE-2024-31705
From:       V3locidad <v3locidad () v3locidad ! com>
Date:       2024-04-11 19:28:12
Message-ID: 34536CF3-B088-4C3A-8FA2-1685FE810427 () v3locidad ! com
[Download RAW message or body]

CVE ID: CVE-2024-31705

Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface

Affected Product : GLPI - 10.X.X and last version

Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute \
arbitrary code via the insufficient validation of user-supplied input.

Affected Component : A remote code execution (RCE) vulnerability has been identified in the 'Shell \
Commands' plugin of GLPI. This vulnerability affects all versions of the software, allowing a remote \
attacker to execute arbitrary code on the system.

Attack Vectors : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' \
plugin of the GLPI (Gestionnaire Libre de Parc Informatique) system. This vulnerability is present in all \
versions of the plugin and allows remote attackers to execute arbitrary code on the system. The flaw \
stems from insufficient validation of user-supplied input within the plugin's functionality to execute \
shell commands.

Recommendation: Deactivate the Shell Commands plugin or apply strict restrictions to its access, please \
note that GLPI has already removed it from its marketplace.

Reference : https://github.com/V3locidad/GLPI_POC_Plugins_Shell

Discoverer: Julien Mula / V3locidad
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]