.. / CVE-2022-35914

Exploit for GLPI <=10.0.2 - Remote Command Execution (CVE-2022-35914)

Description:

GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module.

Nuclei Template

View the template here CVE-2022-35914.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2022/CVE-2022-35914.yaml
Copy

References:

https://senderend.medium.com/pg-practice-box-deep-dive-glpi-c3a1cf1520f8
https://nvd.nist.gov/vuln/detail/CVE-2022-35914
https://github.com/allendemoura/CVE-2022-35914
https://github.com/cosad3s/CVE-2022-35914-poc
https://github.com/glpi-project/glpi/releases
https://mayfly277.github.io/posts/GLPI-htmlawed-CVE-2022-35914
http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed