⚠ Actively exploited
Added to CISA KEV on 2023-03-07. Federal agencies required to patch by 2023-03-28. Required action: Apply updates per vendor instructions..

CVE-2022-35914Injection in Glpi

CWE-74Injection7 documents7 sources
Severity
9.8CRITICALNVD
EPSS
94.4%
top 0.02%
CISA KEV
KEV
Added 2023-03-07
Due 2023-03-28
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Glpi-project Glpi
Timeline
PublishedSep 19
KEV addedMar 7
KEV dueMar 28
Latest updateJan 28
CISA Required Action: Apply updates per vendor instructions.

Description

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDglpi-project/glpi10.0.2

Patches

Patch: www.bioinformatics.orgPatch: www.bioinformatics.org

🔴Vulnerability Details

1
VulnCheck
Teclib GLPI Remote Code Execution Vulnerability2022

💥Exploits & PoCs

3
Exploit-DB
htmlLawed 1.2.5 - Remote Code Execution (RCE)2024-05-19
Metasploit
GLPI htmLawed php command injection
Nuclei
GLPI <=10.0.2 - Remote Command Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS GLPI Unauthenticated PHP Code Injection via htmlawed Module (CVE-2022-35914)2026-01-28

📋Vendor Advisories

1
CISA
Teclib GLPI Remote Code Execution Vulnerability2023-03-07