CVE-2022-29250

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on search pages. In order to exploit this vulnerability a user must be logged in.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
GitHub_MCNA
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
VendorProductVersion
glpi-projectglpi
10.0.0
glpi-projectglpi
10.0.0:beta
glpi-projectglpi
10.0.0:rc1
glpi-projectglpi
10.0.0:rc2
glpi-projectglpi
10.0.0:rc3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
glpi
noble
dne
mantic
dne
jammy
dne
focal
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/glpi-project/glpi/security/advisories/GHSA-5w33-4wrx-8hvw
https://github.com/glpi-project/glpi/security/advisories/GHSA-5w33-4wrx-8hvw