git: fc8db0625d90 - main - security/vuxml: CVEs affecting www/glpi < 10.0.15
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 29 Apr 2024 10:42:56 UTC
The branch main has been updated by philip:
URL: https://cgit.FreeBSD.org/ports/commit/?id=fc8db0625d9084fe6207904c4f91b48d986994ca
commit fc8db0625d9084fe6207904c4f91b48d986994ca
Author: Mathias Monnerville <mathias@monnerville.com>
AuthorDate: 2024-04-28 19:51:00 +0000
Commit: Philip Paeps <philip@FreeBSD.org>
CommitDate: 2024-04-29 10:39:04 +0000
security/vuxml: CVEs affecting www/glpi < 10.0.15
CVE-2024-31456 and CVE-2024-29889 were fixed in GLPI 10.0.15.
PR: 278641
PR: 278642
---
security/vuxml/vuln/2024.xml | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index d25c4b90e530..3b5800d55335 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,34 @@
+ <vuln vid="5da8b1e6-0591-11ef-9e00-080027957747">
+ <topic>GLPI -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>glpi</name>
+ <range><lt>10.0.15,1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>GLPI team reports:</p>
+ <blockquote cite="https://github.com/glpi-project/glpi/releases/tag/10.0.15">
+ <p>GLPI 10.0.15 Changelog</p>
+ <ul>
+ <li>[SECURITY - high] Authenticated SQL injection from map search (CVE-2024-31456)</li>
+ <li>[SECURITY - high] Account takeover via SQL Injection in saved searches feature (CVE-2024-29889)</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2024-31456</cvename>
+ <cvename>CVE-2024-29889</cvename>
+ <url>https://github.com/glpi-project/glpi/releases/tag/10.0.15</url>
+ </references>
+ <dates>
+ <discovery>2024-04-03</discovery>
+ <entry>2024-04-28</entry>
+ </dates>
+ </vuln>
+
<vuln vid="b3affee8-04d1-11ef-8928-901b0ef714d4">
<topic>py-social-auth-app-django -- Improper Handling of Case Sensitivity</topic>
<affects>