CVE-2024-37149 — External Control of File Name or Path in Glpi

CWE-73 — External Control of File Name or Path CWE-94 — Code Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

8.0%

top 7.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedJul 10

Latest updateJan 28

Description

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDglpi-project/glpi0.85 — 10.0.16

▶CVEListV5glpi-project/glpi>= 0.85, < 10.0.16

🔴Vulnerability Details

OSV

CVE-2024-37149: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing↗2024-07-10

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS GLPI Authenticated Local File Inclusion (CVE-2024-37149)↗2026-01-28

▶