6.5

CVE-2023-28855

EPSS 0.17%
Veröffentlicht 05.04.2023 18:15:08
Zuletzt bearbeitet 21.11.2024 07:56:09
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Teclib-edition ≫ Fields SwPlatformglpi Version < 1.13.1

Teclib-edition ≫ Fields SwPlatformglpi Version >= 1.20.0 < 1.20.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.388

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d

Patch

https://github.com/pluginsGLPI/fields/releases/tag/1.13.1

Release Notes

https://github.com/pluginsGLPI/fields/releases/tag/1.20.4

Release Notes

https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-28855

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28855

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28855

EUVD