Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-B7ABDB0F-3B15-11EB-AF2A-080027DBE4B7 (CVE-2020-15176): glpi -- Multiple SQL Injections Stemming From isNameQuoted()

Free InsightVM Trial No Credit Card Necessary

Watch Demo See how it all works

Back to Search

FreeBSD: VID-B7ABDB0F-3B15-11EB-AF2A-080027DBE4B7 (CVE-2020-15176): glpi -- Multiple SQL Injections Stemming From isNameQuoted()

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

06/25/2020

Created

12/14/2020

Added

12/12/2020

Modified

12/12/2020

Description

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2

Solution(s)

freebsd-upgrade-package-glpi

References

CVE-2020-15176

Advanced vulnerability management analytics and reporting.

Key Features

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-B7ABDB0F-3B15-11EB-AF2A-080027DBE4B7 (CVE-2020-15176): glpi -- Multiple SQL Injections Stemming From isNameQuoted()

FreeBSD: VID-B7ABDB0F-3B15-11EB-AF2A-080027DBE4B7 (CVE-2020-15176): glpi -- Multiple SQL Injections Stemming From isNameQuoted()

Description

Solution(s)

References

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.