Skip to content

Guilhem7/CVE_2023_41320

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
README.md
README.md
 
 
cve_2023_41320.py
cve_2023_41320.py
 
 

Repository files navigation

CVE_2023_41320

POC for CVE 2023 41320 on GLPI

Vulnerability Condition Score CVSS Vulnerable versions
SQL Injection Authenticated User 8.1 10.0.0 $\leq$ Version $\leq$ 10.0.9

Impact:

  • SQL Injection in an update clause (be careful, do not forget the "WHERE" thanks Issam for the test 😄)
  • Account Takeover (or privesc on the webapp)
  • Remote Code Execution (in some cases, uses the check module to verify)

This exploit has been tested on glpi 10.0.0 and glpi 10.0.9 (linux only), it might requires modification in order to work on other version. Mostly both function extract_val_from_pref and set_user_val might requires some changes. set_user_val stores the result of the sql injection in the realname field of the glpi_users table.

To achieve RCE you must allow the upload of extension .php (piece of cake when you are an Administrator)

Report link: Huntr report

NOTE: Thanks to GLPI for the quick answer and the version patched here

About

POC for cve 2023 41320 GLPI

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages