Filtered by vendor Glpi-project
Subscriptions
Total
170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28639 | 1 Glpi-project | 1 Glpi | 2025-02-13 | 6.1 Medium |
| GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7. | ||||
| CVE-2023-28632 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 8.1 High |
| GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails. | ||||
| CVE-2023-28633 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 3.5 Low |
| GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue. | ||||
| CVE-2023-28634 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 8.8 High |
| GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue. | ||||
| CVE-2023-28636 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 4.5 Medium |
| GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7. | ||||
| CVE-2023-28838 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 9.6 Critical |
| GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user. | ||||
| CVE-2023-28849 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 10 Critical |
| GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory. | ||||
| CVE-2023-28852 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 4.8 Medium |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue. | ||||
| CVE-2024-38370 | 1 Glpi-project | 1 Glpi | 2025-02-10 | 5.3 Medium |
| GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16. | ||||
| CVE-2023-29006 | 1 Glpi-project | 1 Order | 2025-02-10 | 8.8 High |
| The Order GLPI plugin allows users to manage order management within GLPI. Starting with version 1.8.0 and prior to versions 2.7.7 and 2.10.1, an authenticated user that has access to standard interface can craft an URL that can be used to execute a system command. Versions 2.7.7 and 2.10.1 contain a patch for this issue. As a workaround, delete the `ajax/dropdownContact.php` file from the plugin. | ||||
| CVE-2022-34128 | 1 Glpi-project | 1 Positions | 2025-02-06 | 9.8 Critical |
| The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php. | ||||
| CVE-2022-34127 | 1 Glpi-project | 1 Manageentities | 2025-02-06 | 7.5 High |
| The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter. | ||||
| CVE-2022-34126 | 1 Glpi-project | 1 Activity | 2025-02-06 | 7.5 High |
| The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file parameter. | ||||
| CVE-2022-34125 | 1 Glpi-project | 1 Cmdb | 2025-02-06 | 6.5 Medium |
| front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter. | ||||
| CVE-2024-47758 | 1 Glpi-project | 1 Glpi | 2025-02-06 | 8.8 High |
| GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue. | ||||
| CVE-2022-35914 | 1 Glpi-project | 1 Glpi | 2025-01-29 | 9.8 Critical |
| /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. | ||||
| CVE-2024-29889 | 1 Glpi-project | 1 Glpi | 2025-01-28 | 7.1 High |
| GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15. | ||||
| CVE-2024-47761 | 1 Glpi-project | 1 Glpi | 2025-01-23 | 7.2 High |
| GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue. | ||||
| CVE-2024-47760 | 1 Glpi-project | 1 Glpi | 2025-01-23 | 8.8 High |
| GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue. | ||||
| CVE-2024-47759 | 1 Glpi-project | 1 Glpi | 2025-01-23 | 4.8 Medium |
| GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17. | ||||