cbcvebase.
CVE-2024-29889
published 2024-05-07

CVE-2024-29889: GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved…

PriorityP274high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
63.21%
99.1th percentile
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi< 10.0.1510.0.15
glpi-projectglpi>= 10.0.10 < 10.0.1510.0.15

Detection & IOCsextracted from sources · hover to see the quote

url/front/login.php
url/ajax/common.tabs.php?_glpi_tab=User%241&main_class=tab_cadre_fixe&_target=%2Fglpi%2Ffront%2Fpreference.php&_itemtype=Preference&id=0
url/front/preference.php
url/ajax/pin_savedsearches.php
command{"exploit":"',api_token='{{randstr}}' where id={{id}};-- -"}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)"; flow:established,to_server; http.uri; content:"/front/preference.php"; fast_pattern; http.request_body; content:"savedsearches_pinned|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,borelenzo.github.io/stuff/2024/05/09/exploit-CVE-2024-29889-31456.html; reference:cve,2024-29889; classtype:web-application-attack; sid:2067161; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_29889, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • The SQL injection payload is delivered via the `savedsearches_pinned` POST body parameter to `/front/preference.php`. Look for SQL metacharacters (single quote, semicolon, double-dash) in that field.
  • The exploit chain requires authentication first; watch for a POST to `/front/login.php` followed shortly by a POST to `/front/preference.php` with a multipart body containing `savedsearches_pinned`.
  • After injecting the payload, the attacker calls `/ajax/pin_savedsearches.php` with `itemtype=Monitor` and checks for `"success":true` in the response to confirm exploitation.
  • Final confirmation step: the attacker checks `/ajax/common.tabs.php` for `name="_api_token" value="<injected_token>"` to verify account takeover succeeded.
  • Shodan fingerprint for exposed GLPI instances targeted by this CVE is `http.title:"glpi"`.
  • The injection manipulates the `api_token` column directly: `',api_token='<value>' where id=<id>;-- -`. Monitor database logs for UPDATE statements on the users table altering `api_token`.
  • The exploit uses a custom multipart boundary `----WebKitFormBoundaryRNyVHuSeiTMi2G7K`; this static boundary in a POST to `/front/preference.php` is a strong indicator of automated exploitation.
  • Requests to `/ajax/pin_savedsearches.php` include the custom header `X-Glpi-Csrf-Token` and `X-Requested-With: XMLHttpRequest`; anomalous programmatic use of this endpoint warrants investigation.
  • ·Exploitation requires a valid authenticated session (low-privilege user is sufficient); unauthenticated scanning alone will not trigger this vulnerability.
  • ·The Snort/ET rule (sid:2067161) requires TLS decryption (`tls_state TLSDecrypt`) to inspect the POST body when GLPI is served over HTTPS; deploy with SSLDecrypt or inline TLS inspection for full coverage.
  • ·Affected versions are 10.0.10 through 10.0.14; the fix is in 10.0.15. Detections are only relevant against unpatched instances.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.