Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26919
HistoryAug 27, 2011 - 12:00 a.m.

[PT-2011-23] Database information disclosure in GLPI

2011-08-2700:00:00
vulners.com
7
JSON
 (PT-2011-23) Positive Technologies Security Advisory 

         Database information disclosure in GLPI

—[ Vulnerable software ]

            GLPI 
            Version 0.80.1 and earlier

            Application link:       
            http://www.glpi-project.org/

—[ Severity level ]

            Severity level:                High
            Impact:                        Database information disclosure
            Access Vector:                 Network exploitable
            

           CVSS v2:
                   Base Score:     6.5
                   Vector:         (AV:N/AC:L/Au:S/C:P/I:P/A:P)

            CVE:   not assigned

—[ Software description ]

GLPI is a powerful enterprise ready-to-use suite that allows you to "build your own system" on the fly. It includes a help desk, a knowledge base, a time manager and a reporting system supported by highly configurable and extensible Action & Information Management System.

—[ Vulnerability description ]

Positive Research Center has discovered a database information disclosure vulnerability in GLPI.
The vulnerability can be exploited with a minimally privileged user account such as "post-only."
The vulnerable script is /ajax/autocompletion.php. An authorized user can send a special request to this script and get all
usernames registered in the system along with their password hashes.

–[ How to fix ]

Update your software up to the latest version

—[ Credits ]

These vulnerabilities were detected by Yuri Goltsev, Positive Research Center (Positive Technologies Company)

JSON