CVE-2022-24867
HIGHGlpi < 10.0.0 - Information Disclosure
Title source: ruleDescription
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.
Scores
CVSS v3
7.5
EPSS
0.0036
EPSS Percentile
57.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Classification
CWE
CWE-522
CWE-200
Status
published
Affected Products (1)
glpi-project/glpi
< 10.0.0
Timeline
Published
Apr 21, 2022
Tracked Since
Feb 18, 2026