Vulnerability Details : CVE-2013-5696
Public exploit exists!
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.
Vulnerability category: Sql InjectionCross-site request forgery (CSRF)
Products affected by CVE-2013-5696
- cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.72.4:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.72.3:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.72.2:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.5:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.4:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.78.1:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.78:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.72:rc2:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.72:rc1:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.70:rc1:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.68.3:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.68.2:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.65:rc2:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.65:rc1:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.78.3:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.78.2:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.6:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.72:rc3:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.1:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.70:rc3:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.70:rc2:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.68:rc1:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.65:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.51a:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.51:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.78.5:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.78.4:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.72.1:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.72:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.3:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.71.2:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.70.1:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.70:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.68:rc3:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.68:rc2:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.70.2:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.68.1:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.68:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.6:rc3:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.42:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80.1:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80.2:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80.3:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80.4:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80.6:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80.5:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80.61:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.31:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.30:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.21:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.1:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.41:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.80.7:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.20:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.40:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.6:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.5:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.4:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.31:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.7:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.3:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.8:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.2:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.9:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.83.91:*:*:*:*:*:*:*
- cpe:2.3:a:glpi-project:glpi:0.84:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-5696
22.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2013-5696
-
GLPI install.php Remote Command Execution
Disclosure Date: 2013-09-12First seen: 2020-04-26exploit/multi/http/glpi_install_rceThis module exploits an arbitrary command execution vulnerability in the GLPI 'install.php' script. This module is set to ManualRanking due to this module overwriting the target database configuration, which may introduce target instability. Authors: - Trist
CVSS scores for CVE-2013-5696
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2013-5696
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-5696
-
https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerabilities-in-glpi-cve-2013-5696.html
Page not foundExploit
-
https://forge.indepnet.net/projects/glpi/repository/revisions/21753
Patch
-
https://forge.indepnet.net/projects/glpi/repository/revisions/21753/diff/branches/0.84-bugfixes/inc/central.class.php
Patch
-
https://forge.indepnet.net/issues/4480
-
http://www.glpi-project.org/spip.php?page=annonce&id_breve=308
Page not found - GLPI ProjectPatch
Jump to