Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-31056 — SQL Injection in Glpi

CWE-89 — SQL Injection3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

3.5%

top 12.46%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Glpi-project Glpi

Timeline

PublishedJun 28

Latest updateApr 3

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDglpi-project/glpi10.0.0 — 10.0.2

▶CVEListV5glpi-project/glpi>= 10.0.0, < 10.0.2

🔴Vulnerability Details

OSV

CVE-2022-31056: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing↗2022-06-28

▶

💥Exploits & PoCs

Exploit-DB

GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)↗2023-04-03

▶