cbcvebase.
CVE-2022-34127
published 2023-04-16

CVE-2022-34127: The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.71%
93.1th percentile
The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
glpi-projectmanageentities< 4.0.24.0.2

Detection & IOCsextracted from sources · hover to see the quote

  • Alert on directory traversal sequences (e.g., `../../` or mixed `..\`) present in the `file` parameter of requests targeting `/marketplace/manageentities/inc/cri.class.php`.
  • This exploit requires NO authentication — monitor for requests to the vulnerable path from unauthenticated sessions (no valid session cookie/token).
  • ·The vulnerability is present in Managentities plugin versions strictly before 4.0.2; instances running 4.0.2 or later are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.