CVE-2020-15226

Name of the Vulnerable Software and Affected Versions: GLPI versions prior to 9.5.2

Description: The issue is related to a SQL Injection in the API's search function, allowing an attacker to break SQL syntax and utilize a UNION SELECT query to reflect sensitive information, such as the current database version or database user. This vulnerability is most likely to be exploited by someone with an API account to the system. The issue is related to incorrect neutralization of special elements used in SQL commands, which can allow a remote attacker to execute arbitrary SQL queries to the database by sending a specially crafted request to the vulnerable application.

Recommendations: For versions prior to 9.5.2, update to version 9.5.2 to resolve the issue. As a temporary workaround, consider restricting access to the API's search function until the patch is applied. Avoid using the vulnerable search function in the API until the issue is resolved.