[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"all-banners":3,"SkipToContent_34xgpJIRRkpiT6ls6jE4NHf7VpvQCQBEwi69exi4oT0":4,"FooterNav_JsYsxvLufb1W12aeknKZ89on0MD0bNDTiB5EYxyxmU":11,"vulnerability-26946":17,"FooterSocial_u16tCafBUeGMoDrdLfTINytP2JB5msc6iB3VDUutAoU":46},[],["Island",5],{"key":6,"params":7,"result":9},"SkipToContent_34xgpJIRRkpiT6ls6jE4NHf7VpvQCQBEwi69exi4oT0",{"props":8},"{}",{"head":10},{},["Island",12],{"key":13,"params":14,"result":15},"FooterNav_JsYsxvLufb1W12aeknKZ89on0MD0bNDTiB5EYxyxmU",{"props":8},{"head":16},{},{"id":18,"detectable_with":19,"vuln_details":26,"vuln_id":43,"name":44,"published":45,"updated":27},26946,{"tool":20,"engine":23},{"id":21,"name":22},1,"Network Scanner",{"id":24,"name":25},2,"Nuclei",{"id":18,"codename":27,"description":27,"severity":28,"risk_description":29,"public_description":30,"public_recommendation":31,"recommendation":27,"references":32,"cvssv3":36,"epss_score":37,"epss_percentile":38,"cve":39,"in_cisa_catalog":41,"date":42,"software_type":27,"vendor":27,"product":27,"ptt_exploit_capabilities":27},null,"high","Unauthenticated attackers can execute arbitrary SQL queries through XML requests to the Inventory feature, potentially extracting user credentials, bypassing authentication, and accessing sensitive database information.","A pre-authentication SQL injection vulnerability exists in the Inventory feature of GLPI. The vulnerability is caused by insufficient sanitization of user input in the handleAgent function when processing XML requests. The issue occurs because SimpleXMLElement objects can bypass the dbEscapeRecursive function, allowing an attacker to inject SQL queries. This can lead to unauthorized access to sensitive information in the database, including user credentials and potential authentication bypass.","Upgrade to GLPI version 10.0.18 or later. If upgrading is not immediately possible, consider disabling the Inventory feature or restricting access to it.",[33,34,35],"https://blog.lexfo.fr/glpi-sql-to-rce.html","https://github.com/glpi-project/glpi/security/advisories/GHSA-p626-hph9-p6fj","https://nvd.nist.gov/vuln/detail/CVE-2025-24799",7.5,0.55061,0.98046,[40],"CVE-2025-24799",false,"2025-03-18T00:00:00Z","NETSCAN-NUCLEI-CVE-CVE-2025-24799","GLPI \u003C 10.0.17 - Pre-Auth SQL Injection","2025-04-01T00:00:00Z",["Island",47],{"key":48,"params":49,"result":51},"FooterSocial_u16tCafBUeGMoDrdLfTINytP2JB5msc6iB3VDUutAoU",{"props":50},"{\"text-color\":\"gray\"}",{"head":52},{}]