SQL Injection Vulnerability in GLPI Asset Management Software

CVE-2025-24799

What is CVE-2025-24799?

CVE-2025-24799 is a security vulnerability found in GLPI (Gestionnaire Libre de Parc Informatique), which is open-source asset and IT management software. This vulnerability enables unauthorized users to execute SQL injection attacks through the software's inventory endpoint. The implications of this vulnerability can severely compromise the integrity of the data managed by organizations using GLPI, potentially allowing attackers to manipulate or steal sensitive information.

Technical Details

This vulnerability involves unvalidated input at the inventory endpoint of GLPI, allowing unauthenticated users to inject malicious SQL queries. Such exploitation can compromise the underlying database, leading to unintended actions like data manipulation or extraction. GLPI maintains various asset management and IT service management functions, which are now at risk due to this security flaw. The issue has been resolved in version 10.0.18 of GLPI, which reinforces secure handling of SQL queries.

Potential Impact of CVE-2025-24799

1. Data Breach: Unauthorized SQL injections can lead to the exposure of sensitive user data, financial records, and other critical information stored within the GLPI system.

2. Data Integrity Compromise: Attackers can manipulate data within the database, leading to inaccurate reporting and loss of trust in asset management processes.

3. Operational Disruption: Organizations may face disruptions in their IT management processes, potentially resulting in financial losses and reputational damage due to system downtime or compromised operational integrity.

References