Login Sign Up

CVE-2021-43778

9.1 CRITICAL
Path Traversal

📋 TL;DR

This CVE describes a path traversal vulnerability in the Barcode plugin for GLPI that allows attackers to read arbitrary files on the server. It affects GLPI instances version 2.x prior to 2.6.1 with the barcode plugin installed. The vulnerability is exploitable via the front/send.php file.

💻 Affected Systems

Products:
  • GLPI Barcode Plugin
Versions: 2.x versions prior to 2.6.1
Operating Systems: All operating systems running GLPI
Default Config Vulnerable: ⚠️ Yes
Notes: Requires GLPI 2.x with the barcode plugin installed and enabled.

📦 What is this software?

Barcode by Glpi Project

View all CVEs affecting Barcode →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files like configuration files, password files, or database credentials, potentially leading to full system compromise.

🟠

Likely Case

Unauthorized file disclosure including application configuration, user data, or system information.

🟢

If Mitigated

With proper file permissions and network segmentation, impact is limited to files accessible by the web server user.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via web requests and public proof-of-concept exists.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept exploits exist on GitHub. Exploitation requires sending specially crafted requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.1

Vendor Advisory: https://github.com/pluginsGLPI/barcode/security/advisories/GHSA-2pjh-h828-wcw9

Restart Required: No

Instructions:

1. Update the barcode plugin to version 2.6.1 or later. 2. Download from GitHub releases. 3. Replace the plugin directory. 4. Clear GLPI cache if applicable.

🔧 Temporary Workarounds

Delete vulnerable file

linux

Remove the front/send.php file that contains the vulnerability

rm /path/to/glpi/plugins/barcode/front/send.php

Delete vulnerable file (Windows)

windows

Remove the front/send.php file that contains the vulnerability

del C:\path\to\glpi\plugins\barcode\front\send.php

🧯 If You Can't Patch

  • Apply the workaround to delete front/send.php file
  • Implement web application firewall rules to block path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check if plugins/barcode/front/send.php exists and plugin version is below 2.6.1

Check Version:

Check GLPI plugin management interface or examine plugin files for version metadata

Verify Fix Applied:

Verify plugins/barcode/front/send.php is removed or plugin version is 2.6.1+

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /plugins/barcode/front/send.php with ../ patterns
  • Unusual file access patterns from web server process

Network Indicators:

  • HTTP requests containing path traversal sequences (../) to barcode plugin endpoints

SIEM Query:

web.url:*barcode*front*send.php AND web.url:*..*

📊 Metadata

CVE ID: CVE-2021-43778
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-22
Published: November 24, 2021
Last Updated: September 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43778, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)