CVE-2022-31061
SQL injection on login page in GLPI
In short
GLPI's login page contains a SQL injection vulnerability that allows attackers to bypass authentication and access the system without any credentials. This is a critical flaw because the login page is publicly accessible and requires no prior access to exploit.
Technical detail
A SQL injection vulnerability exists in the GLPI login endpoint (CWE-89), allowing unauthenticated attackers to inject malicious SQL queries through login form parameters. The vulnerability permits authentication bypass and potential database manipulation, affecting confidentiality, integrity, and availability of the entire system.
Summary generated and translated by AI from the official description.
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
glpi-project · glpipublic PoCs found — 1
githubgithub.com/Wangyanan131/CVE-2022-31061★ 4⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →