CVE-2023-28855

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-28855
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28855.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-28855
Aliases
  • GHSA-52vv-hm4x-8584
Published
2023-04-05T17:48:22.384Z
Modified
2025-11-29T08:30:04.054672Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Fields GLPI plugin vulnerable to unauthorized write access to additional fields
Details

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to versions 1.13.1 and 1.20.4, lack of access control check allows any authenticated user to write data to any fields container, including those to which they have no configured access. Versions 1.13.1 and 1.20.4 contain a patch for this issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28855.json"
}
References

Affected packages

Git / github.com/pluginsglpi/fields

Affected ranges

Type
GIT
Repo
https://github.com/pluginsglpi/fields
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6c24c0a0a4f087ffb552d1b86f5882d23940f63d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.13.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/pluginsglpi/fields
Events
Introduced
c50e203265ac92bf189acbe0fcb888fc070112bb
Fixed
1aa3dc2bcb0ebced0c7aad5ea8481e22359dd569
Database specific 
{
    "versions": [
        {
            "introduced": "1.20.0"
        },
        {
            "fixed": "1.20.4"
        }
    ]
}

Affected versions

1.*
1.20.0
1.20.1
1.20.2
1.20.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28855.json"