CVE-2024-37148
published 2024-07-10CVE-2024-37148: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An…
PriorityP264high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
20.39%
97.2th percentile
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | — | — |
| glpi-project | glpi | >= 0.84 < 10.0.16 | 10.0.16 |
Detection & IOCsextracted from sources · hover to see the quote
path/ajax/savedsearch.php
path/front/display.options.php
- →M1: Exploit targets POST body to /ajax/savedsearch.php with the 'ids[]=' parameter (encoded as ids|5b 5d 3d|) containing SQL injection characters — single/double quotes, semicolons, dashes, backslashes, asterisks, slashes, or their URL-encoded equivalents.
- →M2: Exploit targets /front/display.options.php with the 'sub_itemtype=' parameter (encoded as sub_itemtype|3d|) containing SQL injection characters — single/double quotes, semicolons, dashes, backslashes, asterisks, slashes, or their URL-encoded equivalents.
- →Both attack vectors require an established HTTP connection to the server (authenticated context), consistent with the vulnerability requiring prior authentication before SQL injection can be triggered.
- →The attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application) under tactic TA0001 (Initial Access), indicating the SQLi is used to escalate to account takeover from an authenticated session.
- ·Both Snort/Suricata rules include 'tls_state TLSDecrypt' and 'deployment SSLDecrypt' metadata, meaning they will only fire on TLS-decrypted traffic — TLS inspection must be enabled for these signatures to be effective.
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-37148) M1
suricata·2026-01-28·CVSS 8.1
CVE-2024-37148 [HIGH] ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-37148) M1
ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-37148) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-37148) M1"; flow:established,to_server; http.uri; content:"/ajax/savedsearch.php"; fast_pattern; http.request_body; content:"ids|5b 5d 3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,borelenzo.github.io/stuff/2024/06/07/exploit-CVE-2024-37148.html; reference:cve,2024-37148; classtype:web-application-attack; sid:2067165; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_37148, deployment Perimeter, deployment Internal, deployment SSLDecrypt,
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-37148) M2
suricata·2026-01-28·CVSS 8.1
CVE-2024-37148 [HIGH] ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-37148) M2
ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-37148) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-37148) M2"; flow:established,to_server; http.uri; content:"/front/display.options.php"; fast_pattern; content:"sub_itemtype|3d|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; reference:url,borelenzo.github.io/stuff/2024/06/07/exploit-CVE-2024-37148.html; reference:cve,2024-37148; classtype:web-application-attack; sid:2067166; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_37148, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence
No public exploits indexed.
No writeups or analysis indexed.
2024-07-10
Published