You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 2, 2024. It is now read-only.
This is not a vulnerability found / disclosed by me, just forwarding this in case it got missed / not forwarded here
In case this is not the correct contact way i would suggest to extend and merge Create SECURITY.md #26 accordingly
Hello,
in case it is not known yet i would like to notify you that a potential remote code execution (RCE) has been disclosed a few months. This got CVE-2024-31705 assigned and the links below contains more background info.
Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface
Affected Product : GLPI - 10.X.X and last version
Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via
the insufficient validation of user-supplied input.
Affected Component : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of
GLPI. This vulnerability affects all versions of the software, allowing a remote attacker to execute arbitrary code on
the system.
Attack Vectors : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of the
GLPI (Gestionnaire Libre de Parc Informatique) system. This vulnerability is present in all versions of the plugin and
allows remote attackers to execute arbitrary code on the system. The flaw stems from insufficient validation of
user-supplied input within the plugin's functionality to execute shell commands.
Recommendation: Deactivate the Shell Commands plugin or apply strict restrictions to its access, please note that GLPI
has already removed it from its marketplace.
Important:
Hello,
in case it is not known yet i would like to notify you that a potential remote code execution (RCE) has been disclosed a few months. This got CVE-2024-31705 assigned and the links below contains more background info.
In case something is unclear / invalid i guess @V3locidad could be contacted or a new issue raised at https://github.com/V3locidad/GLPI_POC_Plugins_Shell/issues
References: