cbcvebase.
CVE-2023-41320
published 2023-09-27

CVE-2023-41320: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
32.10%
98.1th percentile
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 10.0.0 < 10.0.1010.0.10

Detection & IOCsextracted from sources · hover to see the quote

url/ajax/itillayout.php
urlhttps://github.com/Orange-Cyberdefense/glpwnme
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Account Takeover via SQL Injection in UI Layout Preferences (CVE-2023-41320)"; flow:established,to_server; http.uri; content:"/ajax/itillayout.php"; fast_pattern; http.request_body; content:"itil_layout|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,github.com/Orange-Cyberdefense/glpwnme; reference:cve,2023-41320; classtype:web-application-attack; sid:2067155; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2023_41320, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
itil_layout|3d|
  • Inspect the POST request body for the parameter 'itil_layout=' (encoded as itil_layout|3d|) followed by SQL injection characters: single/double quotes, semicolons, dashes, backslashes, asterisks, forward slashes, or their URL-encoded equivalents (%22, %27, %2a, %2d, %2f, %3b, %5c).
  • Successful exploitation can lead to administrator account takeover via SQL injection in the UI layout preferences feature.
  • ·Users are advised to upgrade to GLPI version 10.0.10; there are no known workarounds for this vulnerability.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.