KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2022-35914

PUBLISHED

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Exploited in the wild Remote Low complexity No user interaction
Vendor
GLPI
Product
GLPI
Published
Sep 19, 2022
EPSS

Description

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

php cisa nuclei_scanner metasploit

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2023-03-07 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Mar 07, 2023

Scanner integrations

Scanner Reference Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/glpi_htmlawed_php_injection.rb Apr 28, 2025
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-35914.yaml Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

glpi_htmlawed_php_injection

metasploit · Created Unknown

Metasploit module for CVE-2022-35914

senderend/CVE-2022-35914

github · Created 2024-04-24 06:39:10 UTC · 2 stars

PoC exploit for GLPI - Command injection using a third-party library script

0xGabe/CVE-2022-35914

github · Created 2022-11-06 06:23:14 UTC · 2 stars

Unauthenticated RCE in GLPI 10.0.2

Lzer0Kx01/CVE-2022-35914

github · Created 2022-10-09 07:46:58 UTC · 2 stars

cosad3s/CVE-2022-35914-poc

github · Created 2022-09-30 16:43:28 UTC · 48 stars

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei

  • Detected by Metasploit