CVE-2022-24867
HIGHGLPI < 10.0.0 - Unauthenticated LDAP Password Exposure via JavaScript Config
Title source: llmDescription
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr
Patch, Third Party Advisory x_refsource_misc
https://github.com/glpi-project/glpi/commit/26f0a20810db11641afdcf671bac7a309acbb94e
Scores
CVSS v3
7.5
EPSS
0.0122
EPSS Percentile
64.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-522
Status
published
Products (1)
glpi-project/glpi
< 10.0.0
Published
Apr 21, 2022
Tracked Since
Feb 18, 2026