SQL injection in GLPI

Published: 2017-06-28
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-7508
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Web applications / CRM systems

Vendor glpi-project

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) SQL injection


Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-7508

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: Yes


The vulnerability allows a remote authenticated attacker to execute arbitrary SQL commands.

The weakness exists due to improper validation of user-supplied input. A remote attacker can supply a specially crafted character when the database is configured to use Big5 Asian encoding and execute arbitrary SQL commands on the system.


Install update from vendor's website.

Vulnerable software versions

GLPI: 0.90.4

External links


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.