CVE-2022-31056

CRITICAL

GLPI <10.0.2 - SQL Injection

Title source: llm

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.

Exploits (1)

exploitdb WORKING POC

by Nuri Çilengir · textwebappsphp

https://www.exploit-db.com/exploits/51233

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/171656/GLPI-10.0.2-SQL-Injection-Remote-Code-Execution.html

[Third Party Advisory] https://github.com/glpi-project/glpi/security/advisories/GHSA-9q9x-7xxh-w4cg

Scores

CVSS v3 9.8

EPSS 0.0345

EPSS Percentile 87.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

glpi-project/glpi 10.0.0 - 10.0.2

Published Jun 28, 2022

Tracked Since Feb 18, 2026