CVE-2024-31456
published 2024-05-07CVE-2024-31456: GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search…
PriorityP353medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
59.40%
99.0th percentile
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | < 10.0.15 | 10.0.15 |
| glpi-project | glpi | >= 9.3.0 < 10.0.15 | 10.0.15 |
Detection & IOCsextracted from sources · hover to see the quote
url/ajax/map.php
urlhttps://borelenzo.github.io/stuff/2024/05/09/exploit-CVE-2024-29889-31456.html
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)"; flow:established,to_server; http.uri; content:"/ajax/map.php"; fast_pattern; http.request_body; content:"itemtype|3d|User"; content:"params|5b|sort|5d 5b 5d 3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,borelenzo.github.io/stuff/2024/05/09/exploit-CVE-2024-29889-31456.html; reference:cve,2024-31456; classtype:web-application-attack; sid:2067160; rev:1; metadata:attack_target Server, created_at 2026_01_28, cve CVE_2024_31456, deployment Perimeter, deployment Internal, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Target POST requests to /ajax/map.php with HTTP request body containing 'itemtype=User' (encoded as itemtype|3d|User) — the entry point for the SQL injection in GLPI map search.
- →The SQL injection payload is injected into the 'params[sort][]' parameter (URL-encoded as params|5b|sort|5d 5b 5d 3d|). Look for SQL metacharacters: single/double quotes, semicolons, dashes, backslashes, asterisks, forward slashes, or their percent-encoded equivalents (%27, %22, %2a, %2d, %2f, %3b, %5c) immediately following the parameter value.
- →Exploit requires authentication; correlate suspicious map.php POST activity with a valid authenticated session to reduce false positives and prioritize triage. ↗
- →MITRE mapping: TA0001 Initial Access / T1190 Exploit Public-Facing Application — treat detections as potential initial access attempts against the GLPI server.
- ·The vulnerability is fixed in GLPI 10.0.15. Versions prior to 10.0.15 are affected. Ensure the version scope is reflected in detection tuning to avoid alerting on patched instances. ↗
- ·The Snort/Suricata rule (sid:2067160) is scoped to perimeter and internal deployment — deploy on both network boundaries and internal segments to catch lateral exploitation by already-authenticated internal users.
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)
suricata·2026-01-28·CVSS 7.1
CVE-2024-31456 [HIGH] ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Map Search (CVE-2024-31456)"; flow:established,to_server; http.uri; content:"/ajax/map.php"; fast_pattern; http.request_body; content:"itemtype|3d|User"; content:"params|5b|sort|5d 5b 5d 3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,borelenzo.github.io/stuff/2024/05/09/exploit-CVE-2024-29889-31456.html; reference:cve,2024-31456; classtype:web-application-attack; sid:2067160; rev:1; metadata:attack_target Server, created_at 2026_01_28, cve CVE_2024_31456, deployment Perimeter, deployment Internal, signature_severity
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)
suricata·2026-01-28·CVSS 7.1
CVE-2024-29889 [HIGH] ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)
ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated SQL Injection in Saved Searches (CVE-2024-29889)"; flow:established,to_server; http.uri; content:"/front/preference.php"; fast_pattern; http.request_body; content:"savedsearches_pinned|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,borelenzo.github.io/stuff/2024/05/09/exploit-CVE-2024-29889-31456.html; reference:cve,2024-29889; classtype:web-application-attack; sid:2067161; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_29889, deployment Perimeter, deployment
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/glpi-project/glpi/commit/730c3db29a1edc32f9b9d1e2a940e90a0211ab26https://github.com/glpi-project/glpi/security/advisories/GHSA-gcj4-2cp3-6h5jhttps://github.com/glpi-project/glpi/commit/730c3db29a1edc32f9b9d1e2a940e90a0211ab26https://github.com/glpi-project/glpi/security/advisories/GHSA-gcj4-2cp3-6h5j
2024-05-07
Published