CVE-2022-29250

EUVD-2022-33602
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on search pages. In order to exploit this vulnerability a user must be logged in.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
GitHub_MCNA
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
Affected Products (NVD)
VendorProductVersion
glpi-projectglpi
10.0.0
glpi-projectglpi
10.0.0:beta
glpi-projectglpi
10.0.0:rc1
glpi-projectglpi
10.0.0:rc2
glpi-projectglpi
10.0.0:rc3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
glpi
focal
dne
jammy
dne
mantic
dne
noble
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/glpi-project/glpi/security/advisories/GHSA-5w33-4wrx-8hvw
https://github.com/glpi-project/glpi/security/advisories/GHSA-5w33-4wrx-8hvw