Search criteria
6 vulnerabilities found for fields by teclib-edition
FKIE_CVE-2023-28855
Vulnerability from fkie_nvd - Published: 2023-04-05 18:15 - Updated: 2024-11-21 07:56
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| teclib-edition | fields | * | |
| teclib-edition | fields | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:*:glpi:*:*",
"matchCriteriaId": "89C87DD6-157A-4B3B-8C3D-F6AFC6FB2C3E",
"versionEndExcluding": "1.13.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:*:glpi:*:*",
"matchCriteriaId": "FE8E4B2B-DB2A-4D0F-96AA-651FB7BEE330",
"versionEndExcluding": "1.20.4",
"versionStartIncluding": "1.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue."
}
],
"id": "CVE-2023-28855",
"lastModified": "2024-11-21T07:56:09.957",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-05T18:15:08.583",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-12723
Vulnerability from fkie_nvd - Published: 2019-07-10 13:15 - Updated: 2024-11-21 04:23
Severity ?
Summary
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php | Third Party Advisory | |
| cve@mitre.org | https://github.com/pluginsGLPI/fields/pull/317 | Third Party Advisory | |
| cve@mitre.org | https://github.com/pluginsGLPI/fields/releases/tag/1.10.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pluginsGLPI/fields/pull/317 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pluginsGLPI/fields/releases/tag/1.10.0 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| teclib-edition | fields | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:glpi:*:*:*",
"matchCriteriaId": "A4F44B9F-561E-4D63-9A07-F2E7233F31BA",
"versionEndIncluding": "1.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en el plugin Fields hasta versi\u00f3n 1.9.2 de Teclib para GLPI. Esto permite una Inyecci\u00f3n SQL por medio de los par\u00e1metros container_id y old_order en el archivo ajax/reorder.php por parte de un usuario no identificado."
}
],
"id": "CVE-2019-12723",
"lastModified": "2024-11-21T04:23:26.443",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-10T13:15:10.730",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-28855 (GCVE-0-2023-28855)
Vulnerability from cvelistv5 – Published: 2023-04-05 17:48 – Updated: 2025-02-10 16:27
VLAI?
Title
Fields GLPI plugin vulnerable to unauthorized write access to additional fields
Summary
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.
Severity ?
6.5 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pluginsGLPI | fields |
Affected:
< 1.13.1
Affected: >= 1.20.0, < 1.20.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
},
{
"name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:27:27.665693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:27:40.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fields",
"vendor": "pluginsGLPI",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.1"
},
{
"status": "affected",
"version": "\u003e= 1.20.0, \u003c 1.20.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-05T17:48:22.384Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
},
{
"name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
}
],
"source": {
"advisory": "GHSA-52vv-hm4x-8584",
"discovery": "UNKNOWN"
},
"title": "Fields GLPI plugin vulnerable to unauthorized write access to additional fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28855",
"datePublished": "2023-04-05T17:48:22.384Z",
"dateReserved": "2023-03-24T16:25:34.468Z",
"dateUpdated": "2025-02-10T16:27:40.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12723 (GCVE-0-2019-12723)
Vulnerability from cvelistv5 – Published: 2019-07-10 12:48 – Updated: 2024-08-04 23:32
VLAI?
Summary
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:53.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-10T12:48:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12723",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php",
"refsource": "MISC",
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"name": "https://github.com/pluginsGLPI/fields/pull/317",
"refsource": "MISC",
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0",
"refsource": "CONFIRM",
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12723",
"datePublished": "2019-07-10T12:48:45",
"dateReserved": "2019-06-04T00:00:00",
"dateUpdated": "2024-08-04T23:32:53.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28855 (GCVE-0-2023-28855)
Vulnerability from nvd – Published: 2023-04-05 17:48 – Updated: 2025-02-10 16:27
VLAI?
Title
Fields GLPI plugin vulnerable to unauthorized write access to additional fields
Summary
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.
Severity ?
6.5 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pluginsGLPI | fields |
Affected:
< 1.13.1
Affected: >= 1.20.0, < 1.20.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
},
{
"name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:27:27.665693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:27:40.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fields",
"vendor": "pluginsGLPI",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.1"
},
{
"status": "affected",
"version": "\u003e= 1.20.0, \u003c 1.20.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-05T17:48:22.384Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
},
{
"name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
}
],
"source": {
"advisory": "GHSA-52vv-hm4x-8584",
"discovery": "UNKNOWN"
},
"title": "Fields GLPI plugin vulnerable to unauthorized write access to additional fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28855",
"datePublished": "2023-04-05T17:48:22.384Z",
"dateReserved": "2023-03-24T16:25:34.468Z",
"dateUpdated": "2025-02-10T16:27:40.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12723 (GCVE-0-2019-12723)
Vulnerability from nvd – Published: 2019-07-10 12:48 – Updated: 2024-08-04 23:32
VLAI?
Summary
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:53.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-10T12:48:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12723",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php",
"refsource": "MISC",
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"name": "https://github.com/pluginsGLPI/fields/pull/317",
"refsource": "MISC",
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0",
"refsource": "CONFIRM",
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12723",
"datePublished": "2019-07-10T12:48:45",
"dateReserved": "2019-06-04T00:00:00",
"dateUpdated": "2024-08-04T23:32:53.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}