CVE-2018-7562

A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-03-12 21:29

Updated : 2024-02-04 19:46


NVD link : CVE-2018-7562

Mitre link : CVE-2018-7562

CVE.ORG link : CVE-2018-7562


JSON object : View

Products Affected

glpi-project

  • glpi
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-434

Unrestricted Upload of File with Dangerous Type