Skip to main content

Glpi CVE-2024-27756

HIGH
Code Injection (CWE-94)
2024-03-15 cve@mitre.org
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 15, 2024 - 07:15 cve.org
HIGH 8.8

DescriptionCVE.org

GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title.

AnalysisAI

GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title. Affected products include: Glpi-Project Glpi. Version information: through 10.0.12.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

More in Glpi

View all
CVE-2013-5696 MEDIUM POC
6.8 Sep 23

inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installati

CVE-2025-24799 HIGH POC
7.5 Mar 18

GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers ca

CVE-2022-35914 CRITICAL POC
9.8 Sep 19

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. Rat

CVE-2022-31056 CRITICAL POC
9.8 Jun 28

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking an

CVE-2013-2225 MEDIUM POC
6.4 May 27

inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _pr

CVE-2020-11060 HIGH POC
8.8 May 12

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Rated high severity (

CVE-2019-14666 HIGH POC
8.8 Sep 25

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. Rated hig

CVE-2014-9258 MEDIUM POC
6.5 Dec 19

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to exec

CVE-2024-29889 HIGH POC
8.1 May 07

GLPI is a Free Asset and IT Management Software package. Rated high severity (CVSS 8.1), this vulnerability is remotely

CVE-2013-2226 HIGH POC
7.5 May 14

Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands vi

CVE-2016-7508 HIGH POC
7.5 Jun 21

Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL co

CVE-2021-21327 HIGH POC
7.5 Mar 08

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses track

Share

CVE-2024-27756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy