CVE-2022-21720
SQL injection using custom CSS administration form in GLPI
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 4.9EPSS 1.1%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
28 ene 2022Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Productos afectados
n/a · n/a