CVE-2016-7508

HIGH

GLPI 0.90.4 - Authenticated SQL Injection via Big5 Encoding Character

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-7508. PoCs published by Eric CARTER.

AI-analyzed exploit summary This writeup describes a SQL injection vulnerability in GLPI 0.90.4 when the database is configured to use BIG5 encoding. The attack leverages a specific character sequence to bypass sanitization and execute arbitrary SQL commands.

Description

Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Eric CARTER · textwebappsphp

https://www.exploit-db.com/exploits/42262

View Code ZIP pw:eip

This writeup describes a SQL injection vulnerability in GLPI 0.90.4 when the database is configured to use BIG5 encoding. The attack leverages a specific character sequence to bypass sanitization and execute arbitrary SQL commands.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: GLPI 0.90.4

Auth required

Prerequisites: Database configured to use BIG5 encoding · Authenticated access to GLPI

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://github.com/glpi-project/glpi/issues/1047

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42262/

Scores

CVSS v3 7.5

EPSS 0.0160

EPSS Percentile 72.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

glpi-project/glpi 0.90.4

Published Jun 21, 2017

Tracked Since Feb 18, 2026