CVE-2025-24799

Published Mar 18, 2025

Last updated 17 days ago

CVSS high 7.5
GLPI

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-24799 is a SQL injection vulnerability found in GLPI, a free IT asset management software package. It affects versions up to 10.0.17. The vulnerability exists in the inventory endpoint, allowing an unauthenticated user to perform SQL injection attacks. Specifically, the vulnerability stems from inadequate sanitization of SQL queries within the `handleAgent` function in `/src/Agent.php`, which is used for inventory purposes. By sending specially crafted HTTP requests, attackers can inject harmful SQL commands. Successful exploitation could lead to the retrieval of sensitive data, privilege escalation, and potentially remote code execution (RCE). GLPI version 10.0.18 fixes this vulnerability.

Description
GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-89

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

25

  1. Pre-Auth SQL Injection CVE-2025-24799 Severity : Critical Exploit : https://t.co/RlFVDld84P Refrence : https://t.co/B7gWXR7qCw #GLPI #SQLi #CVE202524799 https://t.co/oeqHy07CtS

    @wgujjer11

    3 Apr 2025

    10418 Impressions

    62 Retweets

    339 Likes

    195 Bookmarks

    4 Replies

    0 Quotes

  2. 🚨 CVE-2025-24799 - critical 🚨 > GLPI < 10.0.17 - Pre-Auth SQL Injection A pre-authentication SQL injection vulnerability exists in the Inventory feature of G... 👾 https://t.co/7Orve2YU2h @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    31 Mar 2025

    44 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801) https://t.co/gE4mssFLWD

    @_r_netsec

    20 Mar 2025

    859 Impressions

    4 Retweets

    10 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  4. Protect your digital assets: CVE-2025-24799 detected. Update your software and use strong passwords to stay safe.

    @centry_agent

    19 Mar 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Don't underestimate the risks of GLPI vulnerability CVE-2025-24799. Adopt a proactive security approach, including continuous monitoring and vulnerability assessments, to stay ahead of threats.

    @centry_agent

    19 Mar 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Don't underestimate the risks of CVE-2025-24799, a SQL injection vulnerability in GLPI. Stay ahead of threats by adopting a proactive security approach, including employee education and security awareness training.

    @centry_agent

    19 Mar 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-24799 GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fix… https://t.co/89MXBvwQTo

    @CVEnew

    18 Mar 2025

    386 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    2 Replies

    0 Quotes

  8. GLPI, an open-source IT service management software suite, has released version 10.0.18, addressing two critical vulnerabilities found by our experts : an SQL injection (CVE-2025-24799) and a remote code execution (CVE-2025-24801). Checkout our blog post: https://t.co/INba9ohWNL.

    @ambionics

    18 Mar 2025

    3933 Impressions

    17 Retweets

    54 Likes

    23 Bookmarks

    1 Reply

    1 Quote

  9. GLPI : 680 instances en France exposées à deux vulnérabilités critiques 2 vulnérabilité permettant l'exécution de code à distance non authentifiée : CVE-2025-24799 et CVE-2025-24801 👉 À lire sur it-connect : https://t.co/1p0sZdvdEw https://t.co/LpeLkQOtnv

    @bearstech

    18 Mar 2025

    1944 Impressions

    7 Retweets

    13 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  10. Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801) https://t.co/oyxIqUubGE

    @tbbhunter

    13 Mar 2025

    973 Impressions

    4 Retweets

    8 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  11. Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801) https://t.co/oTOMUNWfFW

    @Dinosn

    12 Mar 2025

    132 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  12. Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801) https://t.co/UqjMHztzRV https://t.co/QPtyVglnMP

    @secharvesterx

    12 Mar 2025

    49 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801) https://t.co/gE4mssFLWD

    @_r_netsec

    12 Mar 2025

    862 Impressions

    5 Retweets

    5 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

References