CVE-2023-28855

Published: Apr 5, 2023Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.

Affected (2)

Products: Teclib Edition: Fields

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Teclib Edition Fields	Before 1.13.1
Teclib Edition Fields	From 1.20.0 to 1.20.4

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (8)

https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d

Source: security-advisories@github.com

Patch

https://github.com/pluginsGLPI/fields/releases/tag/1.13.1

Source: security-advisories@github.com

Release Notes

https://github.com/pluginsGLPI/fields/releases/tag/1.20.4

Source: security-advisories@github.com

Release Notes

https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584

Source: security-advisories@github.com

Vendor Advisory

https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/pluginsGLPI/fields/releases/tag/1.13.1

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/pluginsGLPI/fields/releases/tag/1.20.4

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.