CVE-2024-31705

Full Disclosure
mailing list archives

From: V3speed
Date: Thu, 11 Apr 2024 21:28:12 +0200

CVE ID: CVE-2024-31705

Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface

Affected Product : GLPI - 10.X.X and last version

Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via 
the insufficient validation of user-supplied input.

Affected Component : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of 
GLPI. This vulnerability affects all versions of the software, allowing a remote attacker to execute arbitrary code on 
the system.

Attack Vectors : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of the 
GLPI (Gestionnaire Libre de Parc Informatique) system. This vulnerability is present in all versions of the plugin and 
allows remote attackers to execute arbitrary code on the system. The flaw stems from insufficient validation of 
user-supplied input within the plugin's functionality to execute shell commands.

Recommendation: Deactivate the Shell Commands plugin or apply strict restrictions to its access, please note that GLPI 
has already removed it from its marketplace.

Reference : https://github.com/V3locidad/GLPI_POC_Plugins_Shell

Discoverer: Julien Mula / V3locidad
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• CVE-2024-31705 Speed ​​(Apr 14)