Headline
CVE-2022-35914: absent?: ././internal_utilities/htmLawed?cve=title/ | PHP Labware source code viewer
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
Absent directory?: .
/
.
/
internal_utilities
/
htmLawed?cve=title
/
Directory specified probably doesn’t exist, or is not a directory, or could not be accessed, possibly because of file-permission or server configuration issues
Go to root
Related news
htmlLawed versions 1.2.5 and below proof of concept remote command execution exploit.
In Jorani 1.0.0, an attacker could leverage path traversal to access files and execute code on the server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 (CVSS score: 9.8) - Teclib GLPI Remote Code Execution Vulnerability CVE-2022-33891 (CVSS score: 8.8) - Apache Spark Command Injection Vulnerability
This Metasploit module exploits an unauthenticated PHP command injection vulnerability in GLPI versions 10.0.2 and below to execute a command.