Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-9258 — SQL Injection in Glpi

CWE-89 — SQL Injection7 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

9.1%

top 7.31%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Glpi-project Glpi

Timeline

PublishedDec 19

Latest updateMay 17

Description

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages1 packages

▶NVDglpi-project/glpi0.85

Patches

Patch: www.glpi-project.org ↗Patch: www.glpi-project.org ↗

🔴Vulnerability Details

GHSA

GHSA-rv52-jqj3-929g: SQL injection vulnerability in ajax/getDropdownValue↗2022-05-17

▶

OSV

CVE-2014-9258: SQL injection vulnerability in ajax/getDropdownValue↗2014-12-19

▶

💥Exploits & PoCs

Exploit-DB

GLPI 0.85 - Blind SQL Injection↗2014-12-15

▶

💬Community

Bugzilla

CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection [epel-all]↗2014-12-19

▶

Bugzilla

CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection [fedora-all]↗2014-12-19

▶

Bugzilla

CVE-2014-9258 glpi: ajax/getDropdownValue.php SQL injection↗2014-12-19

▶