SQL injection using custom CSS administration form

Moderate

trasher published GHSA-5hg4-r64r-rf83

Jan 27, 2022

Package

glpi (glpi)

Affected versions

< 9.5.7

Patched versions

9.5.7

Description

Impact

Entity administrator is capable of retrieve normally inaccessible data (GLPI data, system data, mysql data).

Patches

TODO

Workarounds

Disabling Entities update right prevents exploit of this vulnerability.