cbcvebase.
CVE-2024-27096
published 2024-03-18

CVE-2024-27096: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated…

PriorityP357medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
62.71%
99.1th percentile
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 0.65 < 10.0.1310.0.13

Detection & IOCsextracted from sources · hover to see the quote

url/front/ticket.php?
  • SQL injection payload is delivered via the `sort[]` parameter in HTTP requests to `/front/ticket.php`. Look for SQL metacharacters (single/double quote, semicolon, dash, backslash, asterisk, forward slash) or their URL-encoded equivalents (%22, %27, %2a, %2d, %2f, %3b, %5c) immediately following the `sort[]` parameter value.
  • The attack targets the GLPI search engine endpoint `/front/ticket.php` and requires an authenticated session. Monitor authenticated HTTP traffic to this URI for anomalous `sort[]` parameter values containing SQL injection characters.
  • Emerging Threats Snort/Suricata SID 2067158 (rev:1) covers this CVE. Deploy or verify this rule is active on perimeter, internal, and SSL-decrypting sensors.
  • ·The Snort/Suricata rule requires TLS decryption to be effective against HTTPS-protected GLPI instances, as indicated by the `tls_state TLSDecrypt` and `deployment SSLDecrypt` metadata. Without SSL inspection, the rule will not fire on encrypted traffic.
  • ·The vulnerability is fixed in GLPI version 10.0.13. Instances running versions prior to 10.0.13 remain vulnerable and should be prioritised for patching.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.