GLPI htmLawedTest.php PHP Code Injection
CVE-2022-35914 is a PHP code injection vulnerability in the htmlawed module used by GLPI through version 10.0.2. According to the provided content, the vulnerable component is /vendor/htmlawed/htmlawed/htmLawedTest.php. The issue allows attacker-supplied input processed by the htmLawed test page to reach PHP execution logic, resulting in arbitrary PHP code injection. Public reporting and exploitation references in the provided material describe this as an RCE condition reachable through the exposed test page, and operational use has been observed in botnet scanners as an initial-access exploit.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a Python proof-of-concept exploit for CVE-2022-35914, a remote code execution vulnerability in GLPI. The main file, CVE-2022-35914.py, is a command-line tool that targets the /vendor/htmlawed/htmlawed/htmLawedTest.php endpoint of a vulnerable GLPI installation. By sending crafted POST requests, the script exploits improper input handling to execute arbitrary system commands on the server using PHP's call_user_func, array_map, and passthru functions. The exploit can be used to check for vulnerability or to execute arbitrary commands, with the output displayed to the user. The repository also includes a README.md with usage instructions and references, and a requirements.txt listing Python dependencies (beautifulsoup4, requests, argparse). The exploit is operational and provides direct command execution on the target if successful.
This repository provides a Python proof-of-concept exploit for CVE-2022-35914, a command injection vulnerability in GLPI via the /vendor/htmlawed/htmlawed/htmLawedTest.php script. The main file, CVE-2022-35914.py, takes a target URL and an optional command to execute (default: 'id'). It first checks if the endpoint is accessible and appears to be the expected htmLawed test page, then crafts a POST request to exploit the vulnerability, allowing arbitrary command execution as the web server user. The exploit can be used for basic command execution or to obtain a reverse shell, as demonstrated in the README. The code is operational and can be used directly against vulnerable GLPI instances. The only fingerprintable endpoint is the htmLawedTest.php script, which must be accessible on the target. The repository also includes a README with usage instructions and a requirements.txt for dependencies.
This repository provides a Python proof-of-concept exploit for CVE-2022-35914, a command injection vulnerability in GLPI via the third-party htmLawedTest.php script. The main file, CVE-2022-35914.py, is a command-line tool that takes a target URL and an optional command to execute (defaulting to 'id'). It first checks if the vulnerable script is accessible and appears to be the correct htmLawed test page, then performs a POST request to inject and execute the specified command on the server. The output of the command is parsed from the server's response and displayed to the user. The exploit requires the target to be running a vulnerable version of GLPI with the htmLawedTest.php script exposed. The repository also includes a README with usage instructions and a requirements.txt listing Python dependencies (beautifulsoup4, requests, argparse). The main attack vector is network-based, targeting the HTTP endpoint /vendor/htmlawed/htmlawed/htmLawedTest.php on the GLPI server.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A GLPI htmLawedTest.php code injection / remote code execution vulnerability used by the scanner as one of several HTTP-based initial access exploits.
A GLPI htmLawed remote code execution/code injection vulnerability included in the C0XMO scanner's HTTP exploitation set for initial access.
A remote code execution (RCE) vulnerability in the htmLawed/HTMLAWED component (noted as version 1.2.5 in the content), referenced in the context of GLPI usage, enabling command execution via the web interface and leading to initial access.
Unknown
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.