CVE-2023-36808
HIGHGLPI 0.80-10.0.7 - SQL Injection via Computer Virtual Machine Form and Inventory Request
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2023-36808. PoCs published by fransosiche.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-36808, an unauthenticated SQL injection vulnerability in GLPI versions < 10.0.10. The exploit uses time-based blind SQL injection with binary search to efficiently extract data from the database.
Description
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.
Exploits (1)
This repository contains a functional exploit for CVE-2023-36808, an unauthenticated SQL injection vulnerability in GLPI versions < 10.0.10. The exploit uses time-based blind SQL injection with binary search to efficiently extract data from the database.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N