CVE-2022-31056

SQL injection with _actor parameter in GLPI

CVSS 9.8 CRITICALEPSS 7.1%CWE-89

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

glpi-project · glpi

public PoCs found — 2

cve_referencepacketstormsecurity.com/files/171656/GLPI-10.0.2-SQL-Injection-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/51233unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/171656/GLPI-10.0.2-SQL-Injection-Remote-Code-Execution.html https://github.com/glpi-project/glpi/security/advisories/GHSA-9q9x-7xxh-w4cg