Vulnerability CVE-2022-35914: Information

Description

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-35914

Published: Sept. 19, 2022

Modified: Oct. 29, 2022

Error type identifier: CWE-74

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
glpi	sisyphus	10.0.3-alt1	10.0.15-alt1	ALT-PU-2022-2614-1	306812	Fixed
glpi	sisyphus_e2k	10.0.3-alt1	10.0.15-alt1	ALT-PU-2022-6172-1	-	Fixed
glpi	p10	9.5.9-alt1	10.0.15-alt1	ALT-PU-2022-2624-1	306811	Fixed
glpi	p10_e2k	9.5.9-alt1	10.0.15-alt1	ALT-PU-2022-6268-1	-	Fixed
glpi	p9	9.5.9-alt1	9.5.13-alt1	ALT-PU-2022-2665-1	307140	Fixed
glpi	p9_e2k	9.5.9-alt1	9.5.13-alt1	ALT-PU-2022-6434-1	-	Fixed
glpi	c10f1	10.0.15-alt1	10.0.15-alt1	ALT-PU-2024-8030-2	348513	Fixed
glpi	c9f2	9.5.13-alt1	9.5.13-alt1	ALT-PU-2024-8094-3	348598	Fixed
glpi	p11	10.0.3-alt1	10.0.15-alt1	ALT-PU-2022-2614-1	306812	Fixed

Hyperlink	Resource
http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed	Patch Third Party Advisory
https://github.com/glpi-project/glpi/releases	Release Notes Third Party Advisory
https://glpi-project.org/fr/glpi-10-0-3-disponible/	Release Notes Vendor Advisory
http://packetstormsecurity.com/files/169501/GLPI-10.0.2-Command-Injection.html	Exploit Third Party Advisory VDB Entry

Affected configurations:
1. Configuration 1
  cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
  End including
  10.0.2

Version: v24.5.3