cbcvebase.
CVE-2021-39211
published 2021-09-15

CVE-2021-39211: GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server…

PriorityP276medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.45%
90.2th percentile
GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 9.2 < 9.5.69.5.6

Detection & IOCsextracted from sources · hover to see the quote

path/ajax/telemetry.php
path/glpi/ajax/telemetry.php
otherhttp.favicon.hash:-1474875778
  • Probe GET /ajax/telemetry.php (and /glpi/ajax/telemetry.php); a vulnerable instance returns HTTP 200 with both '"uuid":' and '"glpi":' in the response body.
  • Use Shodan query 'http.title:"glpi"' or favicon hash '-1474875778' to identify exposed GLPI instances for further testing.
  • Use FOFA query 'icon_hash="-1474875778"' or 'title="glpi"' to identify exposed GLPI instances.
  • Use Google dork 'intitle:"glpi"' to discover publicly exposed GLPI installations.
  • ·The vulnerable endpoint is only present in GLPI versions 9.2 through 9.5.5; version 9.5.6 and later are patched. Confirm version before acting on findings.
  • ·The file ajax/telemetry.php can be removed as a workaround without impacting normal GLPI functionality; its absence on a patched or hardened system means the probe will return non-200 and should not be flagged as vulnerable.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.