CVE-2022-29250: SQL injection in GLPI
First published: Thu Jun 09 2022(Updated: )
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on search pages. In order to exploit this vulnerability a user must be logged in.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI | =10.0.0 | |
| GLPI | =10.0.0-beta | |
| GLPI | =10.0.0-rc1 | |
| GLPI | =10.0.0-rc2 | |
| GLPI | =10.0.0-rc3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-29250?
CVE-2022-29250 is considered a high-severity vulnerability due to the potential for SQL injection attacks.
How do I fix CVE-2022-29250?
To remediate CVE-2022-29250, you should upgrade GLPI to version 10.0.1 or later.
Which versions of GLPI are affected by CVE-2022-29250?
CVE-2022-29250 affects GLPI versions prior to 10.0.1, specifically including 10.0.0 and its beta and release candidate versions.
What type of vulnerability is CVE-2022-29250?
CVE-2022-29250 is classified as an SQL injection vulnerability.
Can CVE-2022-29250 be exploited remotely?
Yes, CVE-2022-29250 can be exploited remotely through vulnerable search pages.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/title
- agent/severity
- agent/references
- agent/author
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/glpi-project
- canonical/glpi
- version/glpi/10.0.0
- version/glpi/10.0.0-beta
- version/glpi/10.0.0-rc1
- version/glpi/10.0.0-rc2
- version/glpi/10.0.0-rc3