Wuerth Phoenix has released some Critical Patches (CPs) for NetEye 4. These CPs resolve multiple vulnerabilities related to SQL injections, Cross Site Scripting and an unauthenticated remote command execution (RCE) exploit.
Description
GLPI was affected by:
[Critical] RCE using a third-party library script (CVE-2022-35914).
[Critical] Privilege Escalation by authentication via SQL injection (CVE-2022-35947)
XSS through registration API (CVE-2022-35945)
Leak of sensitive information through login page error (CVE-2022-31143)
SQL injection through plugin controller (CVE-2022-35946)
CVE-2022-35914 RCE workaround for older NetEye 4 versions
Remove /usr/share/glpi/vendor/htmlawed/htmlawed/htmLawedTest.php file from the filesystem on all NetEye nodes. This will prevent unauthenticated attackers to compromise your NetEye installation.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section inside the User Guide.
Affected Products
All NetEye 4.x versions prior to and including 4.26.
Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.
Author
Gianluca Piccolo
Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.
Important: Icinga 2 security update Type/Severity NetEye Product Security has rated this update as having a critical security impact. Topic An update for the icinga package is now available for NetEye 4. Security Fix for NetEye 4.48 2.15.5_neteye1.71.2-1 Summary The vulnerabilities include an Read More
Important: Elastic Stack security update Type/Severity NetEye Product Security has rated this update as having a Medium security impact. Topic An update for the Kibana package is now available for NetEye 4. Security Fix for NetEye 4.48 9.4.3_neteye3.101.2-1 CVEs CVE-2026-56148CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-56149CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-56151CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H All Read More
Fix Geo Map layers and maps deletion. We have resolved an issue in the Geo Map module that prevented users from deleting maps and layers through the web interface. List of updated packages To solve the issue mentioned above, the Read More
Important: GLPI security update Type/Severity NetEye Product Security has rated this update as having a high security impact. Topic An update for the glpi packages is now available for NetEye 4. Security Fix for NetEye 4.48 10.0.26_neteye1.19.1-1 Summary The vulnerabilities include two SQL Read More
Fix SLM Reports generation with Object Filter on service custom variables. We have resolved an issue that caused SLM Reports generation to fail when the report was based on a contract whose Object Filter contained expressions on service custom variables Read More