cbcvebase.
CVE-2022-31061
published 2022-06-28

CVE-2022-31061: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
50.89%
98.8th percentile
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi
glpi-projectglpi>= 10.0.0 < 10.0.210.0.2
glpi-projectglpi>= 9.3.0 < 9.5.89.5.8

Detection & IOCsextracted from sources · hover to see the quote

url/front/login.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Unauthenticated SQL Injection via Login (CVE-2022-31061)"; flow:established,to_server; http.uri; content:"/front/login.php"; http.request_body; content:"_glpi_csrf_token|3d|"; fast_pattern; content:"auth|3d|"; content:"noAUTO|3d|0"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,github.com/Orange-Cyberdefense/glpwnme/; reference:cve,2022-31061; classtype:web-application-attack; sid:2067153; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2022_31061, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Target HTTP POST requests to /front/login.php containing the body parameters _glpi_csrf_token=, auth=, and noAUTO=0 — the unauthenticated SQL injection is delivered via the login form body.
  • Detect SQL injection characters (single quote, double quote, semicolon, dash, backslash, asterisk, forward slash) or their URL-encoded equivalents (%22, %27, %2a, %2A, %2d, %2D, %2f, %2F, %3b, %3B, %5c, %5C) appearing in the auth parameter value of the POST body.
  • No user credentials are required to exploit this vulnerability — treat any anomalous POST to the GLPI login page as potentially malicious even from unauthenticated sessions.
  • ·The Snort/Suricata rule (sid:2067153) is tagged for TLS-decrypted traffic (tls_state TLSDecrypt / deployment SSLDecrypt). It will NOT fire on HTTPS traffic unless TLS inspection is enabled on the sensor.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.