CVE-2024-27096
published 2024-03-18CVE-2024-27096: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated…
PriorityP357medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
62.71%
99.1th percentile
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | — | — |
| glpi-project | glpi | >= 0.65 < 10.0.13 | 10.0.13 |
Detection & IOCsextracted from sources · hover to see the quote
url/front/ticket.php?
- →SQL injection payload is delivered via the `sort[]` parameter in HTTP requests to `/front/ticket.php`. Look for SQL metacharacters (single/double quote, semicolon, dash, backslash, asterisk, forward slash) or their URL-encoded equivalents (%22, %27, %2a, %2d, %2f, %3b, %5c) immediately following the `sort[]` parameter value.
- →The attack targets the GLPI search engine endpoint `/front/ticket.php` and requires an authenticated session. Monitor authenticated HTTP traffic to this URI for anomalous `sort[]` parameter values containing SQL injection characters. ↗
- →Emerging Threats Snort/Suricata SID 2067158 (rev:1) covers this CVE. Deploy or verify this rule is active on perimeter, internal, and SSL-decrypting sensors.
- ·The Snort/Suricata rule requires TLS decryption to be effective against HTTPS-protected GLPI instances, as indicated by the `tls_state TLSDecrypt` and `deployment SSLDecrypt` metadata. Without SSL inspection, the rule will not fire on encrypted traffic.
- ·The vulnerability is fixed in GLPI version 10.0.13. Instances running versions prior to 10.0.13 remain vulnerable and should be prioritised for patching. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Search (CVE-2024-27096)
suricata·2026-01-28·CVSS 7.7
CVE-2024-27096 [HIGH] ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Search (CVE-2024-27096)
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Search (CVE-2024-27096)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Search (CVE-2024-27096)"; flow:established,to_server; http.uri; content:"/front/ticket.php|3f|"; fast_pattern; content:"sort|5b 5d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,blog.quarkslab.com/exploiting-glpi-during-a-red-team-engagement.html; reference:cve,2024-27096; classtype:web-application-attack; sid:2067158; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_27096, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, ta
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/glpi-project/glpi/commit/61a0c2302b4f633f5065358adc36058e1abc37f9https://github.com/glpi-project/glpi/releases/tag/10.0.13https://github.com/glpi-project/glpi/security/advisories/GHSA-2x8m-vrcm-2jqvhttps://github.com/glpi-project/glpi/commit/61a0c2302b4f633f5065358adc36058e1abc37f9https://github.com/glpi-project/glpi/releases/tag/10.0.13https://github.com/glpi-project/glpi/security/advisories/GHSA-2x8m-vrcm-2jqv
2024-03-18
Published