CVE-2020-15176
Vulnerability from cvelistv5
Published
2020-10-07 18:55
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
SQL injection in GLPI
References
▼ | URL | Tags | |
---|---|---|---|
security-advisories@github.com | https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575 | Patch, Third Party Advisory | |
security-advisories@github.com | https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw | Third Party Advisory |
Impacted products
▼ | Vendor | Product |
---|---|---|
glpi-project | glpi |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T13:08:22.468Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "glpi", "vendor": "glpi-project", "versions": [ { "status": "affected", "version": "\u003e= 0.6.8, \u003c 9.5.2" } ] } ], "descriptions": [ { "lang": "en", "value": "In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-10-07T18:55:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575" } ], "source": { "advisory": "GHSA-x93w-64x9-58qw", "discovery": "UNKNOWN" }, "title": "SQL injection in GLPI", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15176", "STATE": "PUBLIC", "TITLE": "SQL injection in GLPI" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "glpi", "version": { "version_data": [ { "version_value": "\u003e= 0.6.8, \u003c 9.5.2" } ] } } ] }, "vendor_name": "glpi-project" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2" } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw", "refsource": "CONFIRM", "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw" }, { "name": "https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575", "refsource": "CONFIRM", "url": "https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575" } ] }, "source": { "advisory": "GHSA-x93w-64x9-58qw", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15176", "datePublished": "2020-10-07T18:55:12", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:22.468Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2020-15176\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-10-07T19:15:12.720\",\"lastModified\":\"2020-10-16T15:36:03.727\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2\"},{\"lang\":\"es\",\"value\":\"En GLPI versiones anteriores a 9.5.2, cuando se suministra un back tick en la entrada que se coloca en una consulta SQL, la aplicaci\u00f3n no escapa ni se sanea, permitiendo que ocurra una inyecci\u00f3n SQL.\u0026#xa0;Al aprovechar esta vulnerabilidad, un atacante es capaz de exfiltrar informaci\u00f3n confidencial como contrase\u00f1as, tokens de restablecimiento, detalles personales y m\u00e1s.\u0026#xa0;El problema es parcheado en la versi\u00f3n 9.5.2\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.8}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.5.2\",\"matchCriteriaId\":\"4FDDC1DB-791A-495C-84D1-110B95394022\"}]}]}],\"references\":[{\"url\":\"https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.