一、 漏洞 CVE-2022-35914 基础信息
漏洞信息
# N/A
## 漏洞概述
htmlawed模块中的`htmLawedTest.php`文件允许PHP代码注入。
## 影响版本
GLPI 10.0.2及之前版本
## 漏洞细节
攻击者可能通过恶意输入在`htmLawedTest.php`文件中注入PHP代码,进而执行任意PHP代码。
## 漏洞影响
成功利用此漏洞可能导致远程代码执行,危及服务器安全。
提示
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
二、漏洞 CVE-2022-35914 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | None | https://github.com/cosad3s/CVE-2022-35914-poc | POC详情 |
| 2 | None | https://github.com/Lzer0Kx01/CVE-2022-35914 | POC详情 |
| 3 | None | https://github.com/6E6L6F/CVE-2022-35914 | POC详情 |
| 4 | Unauthenticated RCE in GLPI 10.0.2 | https://github.com/0xGabe/CVE-2022-35914 | POC详情 |
| 5 | Script in Ruby for the CVE-2022-35914 - RCE in GLPI | https://github.com/Johnermac/CVE-2022-35914 | POC详情 |
| 6 | PoC exploit for GLPI - Command injection using a third-party library script | https://github.com/allendemoura/CVE-2022-35914 | POC详情 |
| 7 | 𓃌 - htmlLawed 1.2.5 Remote code Execution | https://github.com/0romos/CVE-2022-35914 | POC详情 |
| 8 | Modified for GLPI Offsec Lab: call_user_func, array_map, passthru | https://github.com/noxlumens/CVE-2022-35914_poc | POC详情 |
| 9 | PoC exploit for GLPI - Command injection using a third-party library script | https://github.com/senderend/CVE-2022-35914 | POC详情 |
| 10 | None | https://github.com/btar1gan/exploit_CVE-2022-35914 | POC详情 |
| 11 | GLPI through 10.0.2 is susceptible to remote command execution injection in /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-35914.yaml | POC详情 |
| 12 | None | https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/GLPI%20htmLawedTest.php%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2022-35914.md | POC详情 |
三、漏洞 CVE-2022-35914 的情报信息
- http://www.bioinformatics.org/phplabware/sourceer/sourceer.php?&Sfs=htmLawedTest.php&Sl=.%2Finternal_utilities%2FhtmLawed
- https://github.com/glpi-project/glpi/releases
- https://glpi-project.org/fr/glpi-10-0-3-disponible/
- http://packetstormsecurity.com/files/169501/GLPI-10.0.2-Command-Injection.html
-
标题: GitHub - Orange-Cyberdefense/CVE-repository: Repository of CVE found by OCD people -- 🔗来源链接
标签:
-
标题: CVE-repository/PoCs/POC_2022-35914.sh at master · Orange-Cyberdefense/CVE-repository · GitHub -- 🔗来源链接
标签:
-
标题: GLPI htmlawed (CVE-2022-35914) | Mayfly -- 🔗来源链接
标签:
- https://nvd.nist.gov/vuln/detail/CVE-2022-35914