Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-2226 — SQL Injection in Glpi

CWE-89 — SQL Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

2.6%

top 14.38%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Glpi-project Glpi

Timeline

PublishedMay 14

Latest updateMay 17

Description

Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to ajax/comments.php.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶Ubuntuglpi-project/glpi< 0.84.3+dfsg.1-1

▶NVDglpi-project/glpi0.83.8+9

Patches

Patch: www.glpi-project.org ↗Patch: www.glpi-project.org ↗

🔴Vulnerability Details

GHSA

GHSA-m4cw-927q-j2jf: Multiple SQL injection vulnerabilities in GLPI before 0↗2022-05-17

▶

OSV

CVE-2013-2226: Multiple SQL injection vulnerabilities in GLPI before 0↗2014-05-14

▶

💥Exploits & PoCs

Exploit-DB

GLPI 0.83.8 - Multiple Vulnerabilities↗2013-06-21

▶