Wuerth Phoenix has released some Critical Patches (CPs) for NetEye 4. These CPs resolve multiple vulnerabilities related to SQL injections, Cross Site Scripting and an unauthenticated remote command execution (RCE) exploit.
Description
GLPI was affected by:
[Critical] RCE using a third-party library script (CVE-2022-35914).
[Critical] Privilege Escalation by authentication via SQL injection (CVE-2022-35947)
XSS through registration API (CVE-2022-35945)
Leak of sensitive information through login page error (CVE-2022-31143)
SQL injection through plugin controller (CVE-2022-35946)
CVE-2022-35914 RCE workaround for older NetEye 4 versions
Remove /usr/share/glpi/vendor/htmlawed/htmlawed/htmLawedTest.php file from the filesystem on all NetEye nodes. This will prevent unauthenticated attackers to compromise your NetEye installation.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section inside the User Guide.
Affected Products
All NetEye 4.x versions prior to and including 4.26.
Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.
Author
Gianluca Piccolo
Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.
Important: Elastic Stack security update Type/Severity NetEye Product Security has rated this update as having a High security impact. Topic An update for the elasticsearch and kibana packages is now available for NetEye 4. Security Fix for NetEye 4.44 9.0.8_neteye3.85.1-1 CVEs CVE-2025-25009: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Read More
Satellite config creation in HA mode using zone names with whitespaces We've addressed an issue where running the neteye satellite config create for a satellite configured in HA mode having whitespaces in the Zone name prevented the procedure to successfully Read More
Dashboard Graphs Now Use Full Width We've addressed an issue where service and host graphs on dashboards were not utilizing the full available width. This fix ensures the charts now expand to fill the space, providing a better and clearer Read More
Important: Elastic Stack security update (installed with SIEM) Type/Severity NetEye Product Security has rated this update as having a High security impact. Topic An update for the elasticsearch package is now available for NetEye 4. Security Fix for NetEye 4.43 8.18.6_neteye3.81.9-1 CVE-2025-54988 (Apache Read More
Fix redirect to __SELF__ We resolved a bug for which sometimes during the login workflow an automatic redirect to __SELF__ was performed, forcing the user to manually change the URL on the browser tab. List of updated packages To solve Read More