Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    6 vulnerabilities found for fields by pluginsGLPI

    CVE-2026-23489 (GCVE-0-2026-23489)

    Vulnerability from nvd – Published: 2026-03-16 17:12 – Updated: 2026-03-16 17:51
    VLAI
    Title
    Fields GLPI plugin vulnerable to RCE in dropdown generation
    Summary
    Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pluginsGLPI fields Affected: < 1.23.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23489",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-16T17:46:27.792352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-16T17:51:31.011Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fields",
              "vendor": "pluginsGLPI",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.23.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-16T17:12:43.964Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.23.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.23.3"
            }
          ],
          "source": {
            "advisory": "GHSA-rj7q-mmx9-fhq7",
            "discovery": "UNKNOWN"
          },
          "title": "Fields GLPI plugin vulnerable to RCE in dropdown generation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23489",
        "datePublished": "2026-03-16T17:12:43.964Z",
        "dateReserved": "2026-01-13T15:47:41.628Z",
        "dateUpdated": "2026-03-16T17:51:31.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-45600 (GCVE-0-2024-45600)

    Vulnerability from nvd – Published: 2024-12-26 21:27 – Updated: 2024-12-30 14:53
    VLAI
    Title
    Fields GLPI plugin has an Authenticated SQL Injection
    Summary
    Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to 1.21.13, an authenticated user can perform a SQL injection when the plugin is active. The vulnerability is fixed in 1.21.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pluginsGLPI fields Affected: < 1.21.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45600",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-30T14:53:11.947866Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-30T14:53:26.436Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fields",
              "vendor": "pluginsGLPI",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.21.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to 1.21.13, an authenticated user can perform a SQL injection when the plugin is active. The vulnerability is fixed in 1.21.13."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-26T21:27:01.168Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-wwxw-64g6-2992",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-wwxw-64g6-2992"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/commit/eb927b0f084ee4ef6c87ab2eb7a15e99369e74ae#diff-a7024a397fba9a026157683da73cc675ec6b73bd900374b3836bcdc76ec7bd5cR1166",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/commit/eb927b0f084ee4ef6c87ab2eb7a15e99369e74ae#diff-a7024a397fba9a026157683da73cc675ec6b73bd900374b3836bcdc76ec7bd5cR1166"
            }
          ],
          "source": {
            "advisory": "GHSA-wwxw-64g6-2992",
            "discovery": "UNKNOWN"
          },
          "title": "Fields GLPI plugin has an Authenticated SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-45600",
        "datePublished": "2024-12-26T21:27:01.168Z",
        "dateReserved": "2024-09-02T16:00:02.423Z",
        "dateUpdated": "2024-12-30T14:53:26.436Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28855 (GCVE-0-2023-28855)

    Vulnerability from nvd – Published: 2023-04-05 17:48 – Updated: 2025-02-10 16:27
    VLAI
    Title
    Fields GLPI plugin vulnerable to unauthorized write access to additional fields
    Summary
    Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    pluginsGLPI fields Affected: < 1.13.1
    Affected: >= 1.20.0, < 1.20.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:38.639Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
              },
              {
                "name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
              },
              {
                "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
              },
              {
                "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28855",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T16:27:27.665693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-10T16:27:40.112Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fields",
              "vendor": "pluginsGLPI",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.13.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.20.0, \u003c 1.20.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-05T17:48:22.384Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
            }
          ],
          "source": {
            "advisory": "GHSA-52vv-hm4x-8584",
            "discovery": "UNKNOWN"
          },
          "title": "Fields GLPI plugin vulnerable to unauthorized write access to additional fields"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-28855",
        "datePublished": "2023-04-05T17:48:22.384Z",
        "dateReserved": "2023-03-24T16:25:34.468Z",
        "dateUpdated": "2025-02-10T16:27:40.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-23489 (GCVE-0-2026-23489)

    Vulnerability from cvelistv5 – Published: 2026-03-16 17:12 – Updated: 2026-03-16 17:51
    VLAI
    Title
    Fields GLPI plugin vulnerable to RCE in dropdown generation
    Summary
    Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    pluginsGLPI fields Affected: < 1.23.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23489",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-16T17:46:27.792352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-16T17:51:31.011Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fields",
              "vendor": "pluginsGLPI",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.23.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-16T17:12:43.964Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-rj7q-mmx9-fhq7"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.23.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.23.3"
            }
          ],
          "source": {
            "advisory": "GHSA-rj7q-mmx9-fhq7",
            "discovery": "UNKNOWN"
          },
          "title": "Fields GLPI plugin vulnerable to RCE in dropdown generation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23489",
        "datePublished": "2026-03-16T17:12:43.964Z",
        "dateReserved": "2026-01-13T15:47:41.628Z",
        "dateUpdated": "2026-03-16T17:51:31.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-45600 (GCVE-0-2024-45600)

    Vulnerability from cvelistv5 – Published: 2024-12-26 21:27 – Updated: 2024-12-30 14:53
    VLAI
    Title
    Fields GLPI plugin has an Authenticated SQL Injection
    Summary
    Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to 1.21.13, an authenticated user can perform a SQL injection when the plugin is active. The vulnerability is fixed in 1.21.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pluginsGLPI fields Affected: < 1.21.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45600",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-30T14:53:11.947866Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-30T14:53:26.436Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fields",
              "vendor": "pluginsGLPI",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.21.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to 1.21.13, an authenticated user can perform a SQL injection when the plugin is active. The vulnerability is fixed in 1.21.13."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-26T21:27:01.168Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-wwxw-64g6-2992",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-wwxw-64g6-2992"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/commit/eb927b0f084ee4ef6c87ab2eb7a15e99369e74ae#diff-a7024a397fba9a026157683da73cc675ec6b73bd900374b3836bcdc76ec7bd5cR1166",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/commit/eb927b0f084ee4ef6c87ab2eb7a15e99369e74ae#diff-a7024a397fba9a026157683da73cc675ec6b73bd900374b3836bcdc76ec7bd5cR1166"
            }
          ],
          "source": {
            "advisory": "GHSA-wwxw-64g6-2992",
            "discovery": "UNKNOWN"
          },
          "title": "Fields GLPI plugin has an Authenticated SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-45600",
        "datePublished": "2024-12-26T21:27:01.168Z",
        "dateReserved": "2024-09-02T16:00:02.423Z",
        "dateUpdated": "2024-12-30T14:53:26.436Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-28855 (GCVE-0-2023-28855)

    Vulnerability from cvelistv5 – Published: 2023-04-05 17:48 – Updated: 2025-02-10 16:27
    VLAI
    Title
    Fields GLPI plugin vulnerable to unauthorized write access to additional fields
    Summary
    Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    pluginsGLPI fields Affected: < 1.13.1
    Affected: >= 1.20.0, < 1.20.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T13:51:38.639Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
              },
              {
                "name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
              },
              {
                "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
              },
              {
                "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-28855",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T16:27:27.665693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-10T16:27:40.112Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fields",
              "vendor": "pluginsGLPI",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.13.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.20.0, \u003c 1.20.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-05T17:48:22.384Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pluginsGLPI/fields/security/advisories/GHSA-52vv-hm4x-8584"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/commit/784260be7db185bb1e7d66b299997238c4c0205d"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.13.1"
            },
            {
              "name": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pluginsGLPI/fields/releases/tag/1.20.4"
            }
          ],
          "source": {
            "advisory": "GHSA-52vv-hm4x-8584",
            "discovery": "UNKNOWN"
          },
          "title": "Fields GLPI plugin vulnerable to unauthorized write access to additional fields"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-28855",
        "datePublished": "2023-04-05T17:48:22.384Z",
        "dateReserved": "2023-03-24T16:25:34.468Z",
        "dateUpdated": "2025-02-10T16:27:40.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }