CVE-2023-43813

moderate-risk
Published 2023-12-13

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

Do I need to act?

!
11.5% chance of exploitation in next 30 days
EPSS score — higher than 89% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Glpi-Project

References (6)

Patch https://github.com/glpi-project/glpi/commit/4bd7f02d940953b9cbc9d285f7544bb0e490...
Release Notes https://github.com/glpi-project/glpi/releases/tag/10.0.11
Vendor Advisory https://github.com/glpi-project/glpi/security/advisories/GHSA-94c3-fw5r-3362
Patch https://github.com/glpi-project/glpi/commit/4bd7f02d940953b9cbc9d285f7544bb0e490...
Release Notes https://github.com/glpi-project/glpi/releases/tag/10.0.11
Vendor Advisory https://github.com/glpi-project/glpi/security/advisories/GHSA-94c3-fw5r-3362
40
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 11/34 · Low
Exposure 5/34 · Minimal