CVE-2021-43778

high-risk
Published 2021-11-24

Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the `front/send.php` file.

Do I need to act?

!
90.5% chance of exploitation in next 30 days
EPSS score — higher than 10% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Glpi-Project

References (9)

Exploit https://github.com/hansmach1ne/MyExploits/tree/main/Path%20Traversal%20in%20GLPI...
Patch https://github.com/pluginsGLPI/barcode/commit/428c3d9adfb446e8492b1c2b7affb3d340...
Release Notes https://github.com/pluginsGLPI/barcode/releases/tag/2.6.1
Patch https://github.com/pluginsGLPI/barcode/security/advisories/GHSA-2pjh-h828-wcw9
https://github.com/hansmach1ne/CVE-portfolio/tree/main/CVE-2021-43778
Exploit https://github.com/hansmach1ne/MyExploits/tree/main/Path%20Traversal%20in%20GLPI...
Patch https://github.com/pluginsGLPI/barcode/commit/428c3d9adfb446e8492b1c2b7affb3d340...
Release Notes https://github.com/pluginsGLPI/barcode/releases/tag/2.6.1
Patch https://github.com/pluginsGLPI/barcode/security/advisories/GHSA-2pjh-h828-wcw9
56
/ 100
high-risk
Severity 31/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal