SQL Injection Vulnerability in Saved Searches Feature Allows User Data Tampering and Takeover
CVE-2024-29889

8.1HIGH

Key Information:

Vendor: Glpi-project
Status: Glpi
Vendor: CVE Published:; 7 May 2024

Summary

GLPI, a widely used asset and IT management software, features a SQL injection vulnerability that impacts the saved searches functionality. This issue permits an authenticated user to manipulate another user's account information, potentially leading to unauthorized control over that account. The vulnerability affects users of GLPI prior to version 10.0.15, which has since implemented fixes to address this security flaw.

Affected Version(s)

glpi < 10.0.15

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

https://github.com/glpi-project/glpi/commit/0a6b28be4c0f8...

x_refsource_MISC

EPSS Score

36% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 7, 2024
Vulnerability Reserved
Mar 21, 2024