9.8

CVE-2022-35914

Warnung
Medienbericht
Exploit
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Glpi-projectGlpi Version <= 10.0.2

07.03.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Teclib GLPI Remote Code Execution Vulnerability

Schwachstelle

Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.63% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.06.2026 16:25
http://packetstormsecurity.com/files/169501/GLPI-10.0.2-Command-Injection.html
Third Party Advisory
Exploit
VDB Entry
http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed
Patch
Third Party Advisory
https://github.com/Orange-Cyberdefense/CVE-repository/
Third Party Advisory
https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/POC_2022-35914.sh
Exploit
https://github.com/glpi-project/glpi/releases
Third Party Advisory
Release Notes
https://glpi-project.org/fr/glpi-10-0-3-disponible/
Vendor Advisory
Release Notes
https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914/
Third Party Advisory
Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-35914
US Government Resource