FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

glpi -- Any CalDAV calendars is read-only for every authenticated user

Affected packages
9.5.0 < glpi
glpi < 9.5.3

Details

VuXML ID 6a467439-3b38-11eb-af2a-080027dbe4b7
Discovery 2020-10-01
Entry 2020-10-01

MITRE Corporation reports:

In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. This issue is fixed in version 9.5.3. As a workaround, one can remove the caldav.php file to block access to CalDAV server.

[source]

References

CVE Name CVE-2020-26212
URL https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7
URL https://github.com/glpi-project/glpi/releases/tag/9.5.3
URL https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.