CVE-2025-54780
Description
The glpi-screenshot-plugin allows users to take screenshots or screens recording directly from GLPI. In versions below 2.0.2, authenticated user can use the /ajax/screenshot.php endpoint to leak files from the system or use PHP wrappers. This is fixed in version 2.0.2.
Patches
24ff51af0321d49215b53a05dVulnerability mechanics
Root cause
"Insufficient validation of user-supplied input in the /ajax/screenshot.php endpoint allows for arbitrary file access via path traversal or PHP wrappers."
Attack vector
An authenticated user can exploit this vulnerability by sending a crafted request to the `/ajax/screenshot.php` endpoint. By manipulating the input parameters, an attacker can perform path traversal or utilize PHP wrappers to read arbitrary files from the underlying system [CWE-73]. The attack is performed over the network and does not require user interaction [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N].
Affected code
The vulnerability exists within the `/ajax/screenshot.php` endpoint of the glpi-screenshot-plugin. This file fails to properly sanitize user-supplied input before using it in filesystem operations, allowing unauthorized access to system files. This is addressed in [patch_id=12749] and [patch_id=12750].
What the fix does
The patches [patch_id=12749] and [patch_id=12750] introduce input validation and sanitization logic to the `/ajax/screenshot.php` endpoint. By restricting the paths and file names that can be accessed, the fix prevents users from influencing filesystem operations to leak sensitive data. This ensures that only intended files are processed by the plugin.
Preconditions
- authThe attacker must have an authenticated account on the GLPI instance.
Generated by google/gemini-3.1-flash-lite-preview on May 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.