CVE-2022-39323 — SQL Injection in Glpi

CWE-89 — SQL Injection CWE-1220 — Insufficient Granularity of Access Control CWE-863 — Incorrect Authorization3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

1.2%

top 21.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi Aimeos Ai-admin-graphql

Timeline

PublishedNov 3

Latest updateJul 2

Description

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been patched, please upgrade to version 10.0.4. As a workaround, disable login with user_token on API Rest.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5glpi-project/glpi< 10.0.4

▶NVDglpi-project/glpi9.1 — 10.0.4

▶Packagistaimeos/ai-admin-graphql2022.04.1 — 2022.10.10+2

🔴Vulnerability Details

GHSA

aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account↗2024-07-02

▶

OSV

CVE-2022-39323: GLPI stands for Gestionnaire Libre de Parc Informatique↗2022-11-03

▶