SQL Injection in glpi-project/glpi


Reported on

Jul 8th 2023


GLPI 10.0.8 and are affected by an SQL injection on the page ajax/dashboard.php

Proof of Concept

I can provide you the POC written in python3.5 (or higher). Just provide me a way to send it to you.

Tested under the following environment:

  • Ubuntu 20.04
  • GLPI 10.0.8 and 10.0.7
  • Mysql 8.0.31

The vulnerability occurs because a user can add a dashboard with quote in its name (action "save_new_dashboard"). Then when the attacker save the item, the dashboard name result in SQL Injection (action "save_items").

Lowering the impact

The attacker needs the right to CREATE dashboard. (I don't really know, but this seems to be a high privilege)

The SQLInjection payload is limited to 100 chars, and is time based in most case.

By default no stack query allow.

Increasing the impact

In glpi <= 10.0.7 any user can exploit this vulnerability, cause everyone can add a dashboard (the exploit was designed for this version and adapted for 10.0.8 after).

If Sql errors are shown to the attacker, an attacker can exploit error based SQLInjection which is a lot faster.

The SQLInjection occurs in an 'UPDATE' statement, which can be abused in some cases.


This vulnerability allows an attacker to recover data from the database like password, email and other potential sensitive data.

We are processing your report and will contact the glpi-project/glpi team within 24 hours. 2 months ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back 2 months ago
Cédric Anne
2 months ago



I cannot find a way to reproduce. Please send more details to glpi-security@ow2.org


2 months ago


Alright !

Cédric Anne validated this vulnerability 2 months ago


guilhem7 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Cédric Anne marked this as fixed in 10.0.9 with commit 65e918 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Aug 11th 2023
Cédric Anne published this vulnerability a month ago
to join this conversation