CVE-2024-27096 — SQL Injection in Glpi

CWE-89 — SQL Injection3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

16.0%

top 5.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedMar 18

Latest updateJan 28

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDglpi-project/glpi0.65 — 10.0.13

▶CVEListV5glpi-project/glpi>= 0.65, < 10.0.13

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-27096: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing↗2024-03-18

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Search (CVE-2024-27096)↗2026-01-28

▶