CVE-2024-29889

GLPI contains an SQL injection through the saved searches

CVSS 7.1 HIGHEPSS 64.9%CWE-89

In short

GLPI has a security flaw in its saved searches feature that allows logged-in users to inject malicious SQL commands. An attacker could use this to alter another user's account data and take control of it.

Technical detail

SQL injection vulnerability in the saved searches functionality of GLPI prior to version 10.0.15 allows authenticated attackers to execute arbitrary SQL queries. The attack vector requires valid user credentials and can result in unauthorized modification of user account data and privilege escalation through account takeover.

Summary generated and translated by AI from the official description.

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Affected products

glpi-project · glpi

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/glpi-project/glpi/commit/0a6b28be4c0f848106c60b554c703ec2e178d6c7 https://github.com/glpi-project/glpi/security/advisories/GHSA-8xvf-v6vv-r75g