Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-5696 — Cross-Site Request Forgery in Glpi

CWE-352 — Cross-Site Request Forgery10 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

64.0%

top 1.57%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Glpi-project Glpi

Timeline

PublishedSep 23

Latest updateMay 17

Description

inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶Ubuntuglpi-project/glpi< 0.84.2-1

▶NVDglpi-project/glpi0.84.1+59

Patches

Patch: www.glpi-project.org ↗Patch: forge.indepnet.net ↗Patch: forge.indepnet.net ↗

🔴Vulnerability Details

GHSA

GHSA-c446-83mg-g9vm: inc/central↗2022-05-17

▶

OSV

CVE-2013-5696: inc/central↗2013-09-23

▶

💥Exploits & PoCs

Exploit-DB

GLPI 0.84.1 - Multiple Vulnerabilities↗2013-10-02

▶

Exploit-DB

GLPI - 'install.php' Remote Command Execution (Metasploit)↗2013-09-23

▶

Metasploit

GLPI install.php Remote Command Execution↗

▶

🕵️Threat Intelligence

Greynoiseio

NoiseLetter January 2024↗

▶

💬Community

Bugzilla

CVE-2013-5696 glpi: multiple vulnerabilities [epel-all]↗2013-09-23

▶

Bugzilla

CVE-2013-5696 glpi: multiple vulnerabilities↗2013-09-23

▶

Bugzilla

CVE-2013-5696 glpi: multiple vulnerabilities [fedora-all]↗2013-09-23

▶