From a GLPI patch bypass to RCE

**GLPI RCE chain (SQLi patch bypass → mass-assignment → LFI → web shell):** This report details a proof-of-concept attack chain against GLPI (versions <=10.0.14/ <10.0.15 depending on context) where a JSON encoding/escaping interaction permits SQL injection despite patches, mass-assignment via POST allows poisoning of user session fields (savedsearches_pinned) to trigger SQLi, followed by rights escalation and a plugin directory LFI combined with permissive file uploads (setup.php) to achieve authenticated remote code execution; CVE-2024-37149 and subsequent GLPI patches are referenced and remediation actions are recommended.