Candidate: CVE-2020-15176
PublicDate: 2020-10-07 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15176
 https://github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575
Description:
 In GLPI before version 9.5.2, when supplying a back tick in input that gets
 put into a SQL query,the application does not escape or sanitize allowing
 for SQL Injection to occur. Leveraging this vulnerability an attacker is
 able to exfiltrate sensitive information like passwords, reset tokens,
 personal details, and more. The issue is patched in version 9.5.2
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N [8.6 HIGH]


Patches_glpi:
upstream_glpi: needs-triage
precise/esm_glpi: DNE
trusty_glpi: ignored (out of standard support)
trusty/esm_glpi: DNE
xenial_glpi: not-affected (code not present)
bionic_glpi: DNE
focal_glpi: DNE
groovy_glpi: DNE
devel_glpi: DNE