[<prev] [next>] [day] [month] [year] [list]
Message-Id: <34536CF3-B088-4C3A-8FA2-1685FE810427@v3locidad.com>
Date: Thu, 11 Apr 2024 21:28:12 +0200
From: V3locidad <v3locidad@...ocidad.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2024-31705
CVE ID: CVE-2024-31705
Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface
Affected Product : GLPI - 10.X.X and last version
Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input.
Affected Component : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of GLPI. This vulnerability affects all versions of the software, allowing a remote attacker to execute arbitrary code on the system.
Attack Vectors : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of the GLPI (Gestionnaire Libre de Parc Informatique) system. This vulnerability is present in all versions of the plugin and allows remote attackers to execute arbitrary code on the system. The flaw stems from insufficient validation of user-supplied input within the plugin's functionality to execute shell commands.
Recommendation: Deactivate the Shell Commands plugin or apply strict restrictions to its access, please note that GLPI has already removed it from its marketplace.
Reference : https://github.com/V3locidad/GLPI_POC_Plugins_Shell
Discoverer: Julien Mula / V3locidad
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists