| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Apr 2024 21:28:12 +0200 From: V3locidad <v3locidad@...ocidad.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2024-31705 CVE ID: CVE-2024-31705 Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface Affected Product : GLPI - 10.X.X and last version Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. Affected Component : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of GLPI. This vulnerability affects all versions of the software, allowing a remote attacker to execute arbitrary code on the system. Attack Vectors : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of the GLPI (Gestionnaire Libre de Parc Informatique) system. This vulnerability is present in all versions of the plugin and allows remote attackers to execute arbitrary code on the system. The flaw stems from insufficient validation of user-supplied input within the plugin's functionality to execute shell commands. Recommendation: Deactivate the Shell Commands plugin or apply strict restrictions to its access, please note that GLPI has already removed it from its marketplace. Reference : https://github.com/V3locidad/GLPI_POC_Plugins_Shell Discoverer: Julien Mula / V3locidad _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists