7.5
CVE-2014-8360
- EPSS 2.85%
- Veröffentlicht 14.04.2015 18:59:01
- Zuletzt bearbeitet 06.05.2026 22:30:45
- CVE-Watchlists
- Unerledigt
Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Glpi-project ≫ Glpi Version <= 0.84.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.85% | 0.849 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
http://advisories.mageia.org/MGASA-2015-0017.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:167
http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360-en
http://www.glpi-project.org/spip.php?page=annonce&id_breve=330
https://forge.indepnet.net/issues/5101