Vulnerability Details CVE-2022-31056
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.018
EPSS Ranking 81.8%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://packetstormsecurity.com/files/171656/GLPI-10.0.2-SQL-Injection-Remote-Code-Execution.html
- https://github.com/glpi-project/glpi/security/advisories/GHSA-9q9x-7xxh-w4cg
- http://packetstormsecurity.com/files/171656/GLPI-10.0.2-SQL-Injection-Remote-Code-Execution.html
- https://github.com/glpi-project/glpi/security/advisories/GHSA-9q9x-7xxh-w4cg
Products affected by CVE-2022-31056
-
cpe:2.3:a:glpi-project:glpi:10.0.0
-
cpe:2.3:a:glpi-project:glpi:10.0.1