CVE-2014-9258
published 2014-12-19CVE-2014-9258: SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the…
PriorityP341medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
3.17%
86.4th percentile
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | <= 0.85 | — |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rv52-jqj3-929g: SQL injection vulnerability in ajax/getDropdownValue
ghsa_unreviewed·2022-05-17
CVE-2014-9258 [MEDIUM] CWE-89 GHSA-rv52-jqj3-929g: SQL injection vulnerability in ajax/getDropdownValue
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
OSV
CVE-2014-9258: SQL injection vulnerability in ajax/getDropdownValue
osv·2014-12-19·CVSS 6.5
CVE-2014-9258 [MEDIUM] CVE-2014-9258: SQL injection vulnerability in ajax/getDropdownValue
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
No detection rules found.
Bugzilla
CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection [epel-all]
bugzilla·2014-12-19·CVSS 6.5
CVE-2014-9258 [MEDIUM] CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection [epel-all]
CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fe
Bugzilla
CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection [fedora-all]
bugzilla·2014-12-19·CVSS 6.5
CVE-2014-9258 [MEDIUM] CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection [fedora-all]
CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedor
Bugzilla
CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection
bugzilla·2014-12-19·CVSS 6.5
CVE-2014-9258 [MEDIUM] CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection
CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-9258 to
the following vulnerability:
Name: CVE-2014-9258
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258
Assigned: 20141204
Reference: http://secunia.com/advisories/61367
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI
before 0.85.1 allows remote authenticated users to execute arbitrary
SQL commands via the condition parameter.
Discussion:
Created glpi tracking bugs for this issue:
Affects: fedora-all [bug 1176167]
Affects: epel-all [bug 1176168]
---
glpi-0.84.8-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
---
glpi-0.84.8-3.fc21 has been
http://advisories.mageia.org/MGASA-2015-0017.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/147271.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/147313.htmlhttp://osvdb.org/show/osvdb/115957http://secunia.com/advisories/61367http://security.szurek.pl/glpi-085-blind-sql-injection.htmlhttp://www.exploit-db.com/exploits/35528http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=enhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:167http://advisories.mageia.org/MGASA-2015-0017.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/147271.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/147313.htmlhttp://osvdb.org/show/osvdb/115957http://secunia.com/advisories/61367http://security.szurek.pl/glpi-085-blind-sql-injection.htmlhttp://www.exploit-db.com/exploits/35528http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=enhttp://www.mandriva.com/security/advisories?name=MDVSA-2015:167
2014-12-19
Published