Vulnerability Details : CVE-2014-8360
Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.
Vulnerability category: Directory traversal
Products affected by CVE-2014-8360
- cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8360
1.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8360
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-8360
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8360
-
http://www.glpi-project.org/spip.php?page=annonce&id_breve=330
Page not found - GLPI ProjectVendor Advisory
-
http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360-en
writeup:cve-2014-8360-en [tlk wiki]
-
https://forge.indepnet.net/issues/5101
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:167
mandriva.com
-
http://advisories.mageia.org/MGASA-2015-0017.html
Mageia Advisory: MGASA-2015-0017 - Updated glpi package fixes security vulnerabilities
Jump to