SQL Injection Vulnerability in GLPI Asset and IT Management Software
CVE-2025-21619

8.2HIGH

Key Information:

Vendor: GLPI Project
Status: Glpi
Vendor: CVE Published:; 18 March 2025

Summary

GLPI, an open-source asset and IT management software, has a security vulnerability that allows administrator users to perform SQL injection attacks through its rules configuration forms. This flaw can potentially lead to unauthorized access to the database and extraction of sensitive information. The issue has been addressed in version 10.0.18, highlighting the importance for users to upgrade their installations to mitigate risks associated with this vulnerability.

Affected Version(s)

glpi >= 0.78, < 10.0.18

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Mar 18, 2025
Vulnerability Reserved
Dec 29, 2024