Home > Vulnerability Database > CVE-2022-24867

Mend.io Vulnerability Database

CVE-2022-24867

Date: April 21, 2022

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.

Language: PHP

Severity Score

7.5

Related Resources (4)

Url: https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-24867

Url: https://github.com/glpi-project/glpi/commit/26f0a20810db11641afdcf671bac7a309acbb94e

Url: https://www.mend.io/vulnerability-database/CVE-2022-24867

Severity Score

7.5

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficiently Protected Credentials

CWE-522

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	7.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-24867

Date: April 21, 2022

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?