Unrated severityNVD Advisory· Published Oct 7, 2020· Updated Aug 4, 2024

SQL Injection in GLPI Search API

CVE-2020-15226

Description

In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.

Affected products

Glpi Project/Glpiv5
Range: >= 9.1, < 9.5.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/glpi-project/glpi/commit/3dc4475c56b241ad659cc5c7cb5fb65727409cf0mitrex_refsource_CONFIRM
github.com/glpi-project/glpi/security/advisories/GHSA-jwpv-7m4h-5gvcmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000