CVE-2024-40638SQL Injection in Glpi

CWE-89SQL Injection3 documents3 sources
Severity
8.8HIGHNVD
EPSS
15.3%
top 5.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Glpi-project Glpi
Timeline
PublishedNov 15
Latest updateJan 28

Description

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDglpi-project/glpi0.8510.0.17
CVEListV5glpi-project/glpi>= 0.85, < 10.0.17

🔴Vulnerability Details

1
OSV
CVE-2024-40638: GLPI is a free asset and IT management software package2024-11-15

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated Account Takeover via SQL Injection (CVE-2024-40638)2026-01-28