cbcvebase.
CVE-2024-40638
published 2024-11-15

CVE-2024-40638: GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
36.98%
98.3th percentile
GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 0.85 < 10.0.1710.0.17

Detection & IOCsextracted from sources · hover to see the quote

path/ajax/savedsearch.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-40638)"; flow:established,to_server; http.uri; content:"/ajax/savedsearch.php"; fast_pattern; http.request_body; content:"ids|5b|"; pcre:"/^[^&]*?(?:[\x27\x22\x3b\x2d\x5c\x2a\x2f]|\x25(?:2[27aAdDfF]|3[bB]|5[cC]))/R"; http.method; content:"POST"; reference:url,github.com/Orange-Cyberdefense/glpwnme/; reference:cve,2024-40638; classtype:web-application-attack; sid:2067167; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_40638, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor for POST requests to /ajax/savedsearch.php containing the 'ids[' parameter (hex: ids|5b|) in the request body — this is the injection point for CVE-2024-40638.
  • Flag request bodies where the ids[] parameter value contains SQL injection characters: single/double quote, semicolon, dash, backslash, asterisk, forward slash, or their URL-encoded equivalents (%22, %27, %2a, %2d, %2f, %3b, %5c).
  • The attack requires an authenticated session (authenticated SQL injection); correlate with valid session cookies to identify compromised accounts being used as the injection source.
  • Apply the Snort/Suricata rule SID 2067167 (ET rule) at perimeter, internal, and TLS-decrypting inspection points to detect exploitation attempts.
  • ·TLS decryption is required for full visibility; the rule metadata explicitly flags tls_state TLSDecrypt, meaning HTTPS traffic to GLPI will be blind without SSL/TLS inspection.
  • ·The vulnerability affects GLPI versions prior to 10.0.17; detection rules are only relevant for unpatched instances.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.