Home > Vulnerability Database > WS-2022-0391

Mend.io Vulnerability Database

WS-2022-0391

Good to know:

Date: October 27, 2022

The GLPI's plugin named glpi-archimapcontains an ajax route named getconfig.php which allows a user to retrieve the plugin configuration. However, this route is accessible by everyone because there is no authentication check. Moreover, the attacker can inject his own SQL queries and get directly the result of these queries in the HTTP response!

Language: PHP

Severity Score

9.8

Related Resources (2)

Url: https://github.com/ericferon/glpi-archimap/commit/53ecec67177cce1093859818d86a0a7794046683

Url: https://www.mend.io/vulnerability-database/WS-2022-0391

Severity Score

9.8

Weakness Type (CWE)

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version v3.2.13

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2022-0391

Good to know:

Date: October 27, 2022

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?