CVE-2023-42462
File deletion through document upload process in GLPI
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
Gestionnaire Libre de Parc Informatique (GLPI) es un paquete Gratuito de Software de Gestión de Activos IT, que proporciona funciones de ITIL Service Desk, seguimiento de licencias y auditoría de software. El proceso de carga de documentos se puede desviar para eliminar algunos archivos. Se recomienda a los usuarios que actualicen a la versión 10.0.10. No se conocen workarounds para esta vulnerabilidad.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-09-08 CVE Reserved
- 2023-09-26 CVE Published
- 2024-09-23 CVE Updated
- 2024-10-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75 | 2023-09-29 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Glpi-project Search vendor "Glpi-project" | Glpi Search vendor "Glpi-project" for product "Glpi" | >= 10.0.0 < 10.0.10 Search vendor "Glpi-project" for product "Glpi" and version " >= 10.0.0 < 10.0.10" | - |
Affected
| ||||||