7.5

CVE-2014-8360

Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Glpi-projectGlpi Version <= 0.84.7
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.85% 0.849
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://advisories.mageia.org/MGASA-2015-0017.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:167
http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360-en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=330
Vendor Advisory
https://forge.indepnet.net/issues/5101