GLPI Remote code execution from LDAP server configuration form on PHP 7.4

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

输出中的特殊元素转义处理不恰当(注入)

GLPI 注入漏洞

GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口，你可以用它来建立数据库全面管理IT的电脑，显示器，服务器，打印机，网络设备，电话，甚至硒鼓和墨盒等。 GLPI 10.0.0版本至10.0.11之前版本存在注入漏洞，该漏洞源于可以上传任意代码。

N/A

N/A