Vulnerability Details CVE-2019-12723
An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via container_id and old_order parameters to ajax/reorder.php by an unauthenticated user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.013
EPSS Ranking 78.4%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php
- https://github.com/pluginsGLPI/fields/pull/317
- https://github.com/pluginsGLPI/fields/releases/tag/1.10.0
- https://github.com/pluginsGLPI/fields/blob/master/ajax/reorder.php
- https://github.com/pluginsGLPI/fields/pull/317
- https://github.com/pluginsGLPI/fields/releases/tag/1.10.0
Products affected by CVE-2019-12723
-
cpe:2.3:a:teclib-edition:fields:*