CVE-2023-29006 – This vulnerability in the Order GLPI plugin all... (How to Fix)

Q: What is the severity of CVE-2023-29006?

CVE-2023-29006 has a CVSS score of 8.8 (HIGH). This vulnerability in the Order GLPI plugin allows authenticated users with standard interface access to execute arbitrary system commands via a crafted URL. It affects versions 1.8.0 through 2.7.6 and 2.10.0, putting GLPI installations with this plugin at risk of remote code execution.

📋 TL;DR

This vulnerability in the Order GLPI plugin allows authenticated users with standard interface access to execute arbitrary system commands via a crafted URL. It affects versions 1.8.0 through 2.7.6 and 2.10.0, putting GLPI installations with this plugin at risk of remote code execution.

💻 Affected Systems

Products:

GLPI Order Plugin

Versions: 1.8.0 through 2.7.6 and 2.10.0

Operating Systems: All operating systems running GLPI

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with access to standard interface; affects all GLPI installations with vulnerable plugin versions.

📦 What is this software?

Order by Glpi Project

View all CVEs affecting Order →

Order by Glpi Project

View all CVEs affecting Order →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to data theft, lateral movement, or complete system takeover.

🟠

Likely Case

Authenticated attackers gaining shell access to the web server, allowing them to read sensitive files, modify data, or deploy malware.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented, restricting the web server's access to critical systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward via crafted URL; weaponization is likely given the high CVSS score and RCE nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.7 or 2.10.1

Vendor Advisory: https://github.com/pluginsGLPI/order/security/advisories/GHSA-xfx2-qx2r-3wwm

Restart Required: No

Instructions:

1. Update the Order plugin to version 2.7.7 or 2.10.1. 2. Download from official GLPI plugin repository. 3. Replace the plugin directory with the updated version. 4. Clear GLPI cache if necessary.

🔧 Temporary Workarounds

Delete vulnerable file

all

Remove the vulnerable ajax/dropdownContact.php file to prevent exploitation

rm /path/to/glpi/plugins/order/ajax/dropdownContact.php

🧯 If You Can't Patch

Restrict plugin access to trusted users only via GLPI permissions
Implement web application firewall rules to block suspicious URL patterns targeting the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if file plugins/order/ajax/dropdownContact.php exists and plugin version is between 1.8.0 and 2.7.6 or exactly 2.10.0

Check Version:

Check GLPI plugin management interface or examine plugins/order/README.md or plugin.xml file

Verify Fix Applied:

Verify plugin version is 2.7.7 or 2.10.1, and check that dropdownContact.php file no longer contains unsafe command execution code

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to /plugins/order/ajax/dropdownContact.php with command injection patterns
Web server logs showing system command execution attempts

Network Indicators:

HTTP requests containing shell metacharacters or command execution patterns targeting the vulnerable endpoint

SIEM Query:

source="web_server_logs" AND (url="*dropdownContact.php*" AND (method="POST" OR method="GET") AND (url="*;*" OR url="*|*" OR url="*`*" OR url="*$(*"))

📊 Metadata

CVE ID: CVE-2023-29006

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: April 5, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29006, you might also want to check these: