VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 24, 2021· Updated Sep 8, 2025

Path traversal in GLPI barcode plugin

CVE-2021-43778

Description

Path traversal in GLPI barcode plugin allows unauthenticated attackers to read arbitrary files via a crafted request to front/send.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in GLPI barcode plugin allows unauthenticated attackers to read arbitrary files via a crafted request to front/send.php.

Vulnerability

The GLPI barcode plugin versions 2.x prior to 2.6.1 contain a path traversal vulnerability in the front/send.php file. An attacker can supply a crafted file parameter containing directory traversal sequences (e.g., ../) to read arbitrary files outside the intended directory. The issue was introduced in version 2.0 and fixed in version 2.6.1 [1][2][3].

Exploitation

An unauthenticated attacker with network access to the GLPI instance can exploit this by sending a GET request to front/send.php with a malicious file parameter. No special privileges or user interaction are required. The vulnerability is triggered when the plugin processes the file path without proper sanitization [1][2].

Impact

Successful exploitation allows the attacker to read arbitrary files from the server's filesystem, including sensitive configuration files, credentials, or other data. This leads to information disclosure and can compromise the confidentiality of the GLPI instance and underlying system [2].

Mitigation

The vulnerability is fixed in version 2.6.1, released on 2021-11-24 [3]. Users should upgrade immediately. As a workaround, administrators can delete the front/send.php file from the plugin directory. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2].

References
  1. die on insecure file request, fix #85 · pluginsGLPI/barcode@428c3d9
  2. Path traversal in GLPI barcode plugin
  3. Release 2.6.1 · pluginsGLPI/barcode

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • GNU/Barcodellm-fuzzy
    Range: >=2.0, <2.6.1
  • pluginsGLPI/barcodev5
    Range: >= 2.0.0, < 2.6.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing `exit` after logging a non‑standard file request allows path traversal to succeed."

Attack vector

An attacker with a valid GLPI session can send a crafted request to `front/send.php` that includes path‑traversal sequences (e.g. `../../etc/passwd`) in the filename parameter. Because the script logs the suspicious request but does not stop further processing, the attacker can read arbitrary files outside the intended document directory [ref_id=1]. This is a file‑path traversal vulnerability (CWE‑22).

Affected code

The vulnerable file is `front/send.php` in the barcode plugin for GLPI. After detecting a non‑standard file being requested, the code logs the event via `Toolbox::logDebug()` but does not terminate execution, allowing the subsequent file read (`$file = $docDir.'/'.$filename;`) to proceed. The patch adds an `exit;` statement after the debug log to halt execution on insecure file requests.

What the fix does

The patch inserts a single `exit;` statement right after the `Toolbox::logDebug()` call that logs a suspicious file request. This ensures that when a non‑standard filename is detected, script execution stops before the vulnerable line `$file = $docDir.'/'.$filename;` is reached, preventing any file from being read. No other changes are needed because the existing check for non‑standard files already identifies the attack—it simply did not enforce the rejection.

Preconditions

  • authThe attacker must have an active GLPI session (any authenticated user role).
  • configThe barcode plugin must be installed and the `front/send.php` endpoint exposed.
  • inputThe attacker must be able to supply an arbitrary `filename` parameter containing path‑traversal sequences (e.g. `../`).

Generated on Jun 13, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.