CVE-2024-29889 HIGH

CVE-2024-29889: GLPI contains an SQL injection through the saved searches

Vendor Glpi-Project
Product glpi
Weakness CWE-89 · SQLi
Published May 7, 2024
Last update August 2, 2024

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

Key dates

02Disclosure timeline

May 7, 2024 CVE published
August 2, 2024 Record updated