CVE-2022-34127
published 2023-04-16CVE-2022-34127: The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.
PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
6.71%
93.1th percentile
The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | manageentities | < 4.0.2 | 4.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on directory traversal sequences (e.g., `../../` or mixed `..\`) present in the `file` parameter of requests targeting `/marketplace/manageentities/inc/cri.class.php`. ↗
- →This exploit requires NO authentication — monitor for requests to the vulnerable path from unauthenticated sessions (no valid session cookie/token). ↗
- ·The vulnerability is present in Managentities plugin versions strictly before 4.0.2; instances running 4.0.2 or later are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://github.com/InfotelGLPI/manageentities/releases/tag/4.0.2https://github.com/InfotelGLPI/manageentities/security/advisories/GHSA-4hpg-m8fv-xv3hhttps://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/https://github.com/InfotelGLPI/manageentities/releases/tag/4.0.2https://github.com/InfotelGLPI/manageentities/security/advisories/GHSA-4hpg-m8fv-xv3hhttps://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
2023-04-16
Published