CVE-2024-29889
published 2024-05-07CVE-2024-29889: GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved…
PriorityP274high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
63.21%
99.1th percentile
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | < 10.0.15 | 10.0.15 |
| glpi-project | glpi | >= 10.0.10 < 10.0.15 | 10.0.15 |
Detection & IOCsextracted from sources · hover to see the quote
url/front/login.php
url/ajax/common.tabs.php?_glpi_tab=User%241&main_class=tab_cadre_fixe&_target=%2Fglpi%2Ffront%2Fpreference.php&_itemtype=Preference&id=0
url/front/preference.php
url/ajax/pin_savedsearches.php
command{"exploit":"',api_token='{{randstr}}' where id={{id}};-- -"}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)"; flow:established,to_server; http.uri; content:"/front/preference.php"; fast_pattern; http.request_body; content:"savedsearches_pinned|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,borelenzo.github.io/stuff/2024/05/09/exploit-CVE-2024-29889-31456.html; reference:cve,2024-29889; classtype:web-application-attack; sid:2067161; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_29889, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →The SQL injection payload is delivered via the `savedsearches_pinned` POST body parameter to `/front/preference.php`. Look for SQL metacharacters (single quote, semicolon, double-dash) in that field.
- →The exploit chain requires authentication first; watch for a POST to `/front/login.php` followed shortly by a POST to `/front/preference.php` with a multipart body containing `savedsearches_pinned`.
- →After injecting the payload, the attacker calls `/ajax/pin_savedsearches.php` with `itemtype=Monitor` and checks for `"success":true` in the response to confirm exploitation.
- →Final confirmation step: the attacker checks `/ajax/common.tabs.php` for `name="_api_token" value="<injected_token>"` to verify account takeover succeeded.
- →Shodan fingerprint for exposed GLPI instances targeted by this CVE is `http.title:"glpi"`.
- →The injection manipulates the `api_token` column directly: `',api_token='<value>' where id=<id>;-- -`. Monitor database logs for UPDATE statements on the users table altering `api_token`.
- →The exploit uses a custom multipart boundary `----WebKitFormBoundaryRNyVHuSeiTMi2G7K`; this static boundary in a POST to `/front/preference.php` is a strong indicator of automated exploitation.
- →Requests to `/ajax/pin_savedsearches.php` include the custom header `X-Glpi-Csrf-Token` and `X-Requested-With: XMLHttpRequest`; anomalous programmatic use of this endpoint warrants investigation.
- ·Exploitation requires a valid authenticated session (low-privilege user is sufficient); unauthenticated scanning alone will not trigger this vulnerability. ↗
- ·The Snort/ET rule (sid:2067161) requires TLS decryption (`tls_state TLSDecrypt`) to inspect the POST body when GLPI is served over HTTPS; deploy with SSLDecrypt or inline TLS inspection for full coverage.
- ·Affected versions are 10.0.10 through 10.0.14; the fix is in 10.0.15. Detections are only relevant against unpatched instances. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)
suricata·2026-01-28·CVSS 7.1
CVE-2024-29889 [HIGH] ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)"; flow:established,to_server; http.uri; content:"/front/preference.php"; fast_pattern; http.request_body; content:"savedsearches_pinned|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,borelenzo.github.io/stuff/2024/05/09/exploit-CVE-2024-29889-31456.html; reference:cve,2024-29889; classtype:web-application-attack; sid:2067161; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_29889, deployment Perimeter, deployment
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)
suricata·2026-01-28·CVSS 7.1
CVE-2024-31456 [HIGH] ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)"; flow:established,to_server; http.uri; content:"/ajax/map.php"; fast_pattern; http.request_body; content:"itemtype|3d|User"; content:"params|5b|sort|5d 5b 5d 3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,borelenzo.github.io/stuff/2024/05/09/exploit-CVE-2024-29889-31456.html; reference:cve,2024-31456; classtype:web-application-attack; sid:2067160; rev:1; metadata:attack_target Server, created_at 2026_01_28, cve CVE_2024_31456, deployment Perimeter, deployment Internal, signature_severity
Nuclei
GLPI 10.0.10-10.0.14 - SQL Injection
nuclei·CVSS 8.1
CVE-2024-29889 [HIGH] GLPI 10.0.10-10.0.14 - SQL Injection
GLPI 10.0.10-10.0.14 - SQL Injection
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it.
Template:
id: CVE-2024-29889
info:
name: GLPI 10.0.10-10.0.14 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it.
impact: |
SQL Injection vulnerability in GLPI versions 10.0.10-10.0.14 allows an attacker to alter another user account data and take control of it.
remediation: |
No writeups or analysis indexed.
https://github.com/glpi-project/glpi/commit/0a6b28be4c0f848106c60b554c703ec2e178d6c7https://github.com/glpi-project/glpi/security/advisories/GHSA-8xvf-v6vv-r75ghttps://github.com/glpi-project/glpi/commit/0a6b28be4c0f848106c60b554c703ec2e178d6c7https://github.com/glpi-project/glpi/security/advisories/GHSA-8xvf-v6vv-r75g
2024-05-07
Published