pluginsGLPI Database Inventory Plugin Database Agent Request Vulnerability

A vulnerability exists in the Database Inventory Plugin for pluginsGLPI, specifically in versions through 1.0.2. This issue allows any authenticated user to send requests to Teclib' inventory agents, potentially disrupting the database inventory process on the workstation. The vulnerability has been addressed in version 1.0.3.

Impact

Exploitation of this vulnerability allows authenticated users to send requests to inventory agents, which could interfere with the database inventory process on the affected workstation.

Reproduction

To reproduce this vulnerability, an authenticated user can send requests to the Teclib' inventory agents managed by the Database Inventory Plugin. This can be done by using the 'ajax/agent.php' endpoint and including the 'action' and 'id' parameters in the request. The absence of proper permission checks in versions prior to 1.0.3 allows this action to be performed by any authenticated user.

Remediation

Users are advised to update the Database Inventory Plugin to version 1.0.3 or later.