Vulnerabilites related to teclib-edition - fields
CVE-2023-28855 (GCVE-0-2023-28855)
Vulnerability from cvelistv5
Published
2023-04-05 17:48
Modified
2025-02-10 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584 | x_refsource_CONFIRM | |
| https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d | x_refsource_MISC | |
| https://github.com/pluginsGLPI/fields/releases/tag/1.13.1 | x_refsource_MISC | |
| https://github.com/pluginsGLPI/fields/releases/tag/1.20.4 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pluginsGLPI | fields |
Version: < 1.13.1 Version: >= 1.20.0, < 1.20.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
},
{
"name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:27:27.665693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T16:27:40.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fields",
"vendor": "pluginsGLPI",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.1"
},
{
"status": "affected",
"version": "\u003e= 1.20.0, \u003c 1.20.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-05T17:48:22.384Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
},
{
"name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
}
],
"source": {
"advisory": "GHSA-52vv-hm4x-8584",
"discovery": "UNKNOWN"
},
"title": "Fields GLPI plugin vulnerable to unauthorized write access to additional fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28855",
"datePublished": "2023-04-05T17:48:22.384Z",
"dateReserved": "2023-03-24T16:25:34.468Z",
"dateUpdated": "2025-02-10T16:27:40.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12723 (GCVE-0-2019-12723)
Vulnerability from cvelistv5
Published
2019-07-10 12:48
Modified
2024-08-04 23:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php | x_refsource_MISC | |
| https://github.com/pluginsGLPI/fields/pull/317 | x_refsource_MISC | |
| https://github.com/pluginsGLPI/fields/releases/tag/1.10.0 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:53.960Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-07-10T12:48:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12723",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php",
"refsource": "MISC",
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"name": "https://github.com/pluginsGLPI/fields/pull/317",
"refsource": "MISC",
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"name": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0",
"refsource": "CONFIRM",
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12723",
"datePublished": "2019-07-10T12:48:45",
"dateReserved": "2019-06-04T00:00:00",
"dateUpdated": "2024-08-04T23:32:53.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-04-05 18:15
Modified
2024-11-21 07:56
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| teclib-edition | fields | * | |
| teclib-edition | fields | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:*:glpi:*:*",
"matchCriteriaId": "89C87DD6-157A-4B3B-8C3D-F6AFC6FB2C3E",
"versionEndExcluding": "1.13.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:*:glpi:*:*",
"matchCriteriaId": "FE8E4B2B-DB2A-4D0F-96AA-651FB7BEE330",
"versionEndExcluding": "1.20.4",
"versionStartIncluding": "1.20.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue."
}
],
"id": "CVE-2023-28855",
"lastModified": "2024-11-21T07:56:09.957",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-05T18:15:08.583",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-07-10 13:15
Modified
2024-11-21 04:23
Severity ?
Summary
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php | Third Party Advisory | |
| cve@mitre.org | https://github.com/pluginsGLPI/fields/pull/317 | Third Party Advisory | |
| cve@mitre.org | https://github.com/pluginsGLPI/fields/releases/tag/1.10.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pluginsGLPI/fields/pull/317 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pluginsGLPI/fields/releases/tag/1.10.0 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| teclib-edition | fields | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:teclib-edition:fields:*:*:*:*:glpi:*:*:*",
"matchCriteriaId": "A4F44B9F-561E-4D63-9A07-F2E7233F31BA",
"versionEndIncluding": "1.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en el plugin Fields hasta versi\u00f3n 1.9.2 de Teclib para GLPI. Esto permite una Inyecci\u00f3n SQL por medio de los par\u00e1metros container_id y old_order en el archivo ajax/reorder.php por parte de un usuario no identificado."
}
],
"id": "CVE-2019-12723",
"lastModified": "2024-11-21T04:23:26.443",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-07-10T13:15:10.730",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/pull/317"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/pluginsGLPI/fields/releases/tag/1.10.0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}