CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19...

6.5CVSS4.2AI score0.00239EPSS

Exploits0References3

Cvelist•added 2025/07/30 2:14 p.m.•7 views

CVE-2025-53111 GLPI exposes data to non-allowed users

6.5CVSS0.00239EPSS

Exploits0References1

NVD•added 2025/07/29 6:15 p.m.•4 views

CVE-2025-27514

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.1...

5.4CVSS0.00183EPSS

Exploits0References2

Vulnrichment•added 2025/02/25 3:37 p.m.•22 views

CVE-2025-21626 GLPI vulnerable to exposure of sensitive information in the `status.php` endpoint

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the status.php endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the status.p...

5.8CVSS5.7AI score0.00393EPSS

Exploits0References2

Cvelist•added 2024/12/11 4:56 p.m.•28 views

CVE-2024-47760 GLPI vulnerable to account takeover via API

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue...

7.5CVSS0.00457EPSS

Exploits0References2

OSV•added 2024/12/11 3:50 p.m.•16 views

CVE-2024-47758 GLPI vulnerable to account takeover without privilege escalation through the API

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue...

7.6CVSS4.6AI score0.00434EPSS

Exploits0References4

Vulnrichment•added 2022/04/21 4:55 p.m.•4 views

CVE-2022-24868 Cross site scripting via SVG file upload in GLPI

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user...

7.3CVSS7AI score0.00597EPSS

Exploits0References2

NVD•added 2020/10/07 7:15 p.m.•17 views

CVE-2020-15177

In GLPI before version 9.5.2, the install/install.php endpoint insecurely stores user input into the database as urlbase and urlbaseapi. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication i...

8CVSS0.00761EPSS

Exploits0References2

Prion•added 2020/10/07 7:15 p.m.•19 views

Information disclosure

In GLPI before version 9.5.2, the ?pluginimage.send.php? endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”...

6.4CVSS8.7AI score0.7155EPSS

Exploits1References2Affected Software1

NVD•added 2020/05/12 4:15 p.m.•34 views

CVE-2020-5248

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data mu...

7.2CVSS6.9AI score0.01426EPSS

Exploits2References2

Cvelist•added 2020/05/05 9:20 p.m.•21 views

CVE-2020-11034 bypass of manageRedirect in GLPI

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6...

6.1CVSS7.3AI score0.07608EPSS

Exploits0References3

Prion•added 2019/11/01 5:15 p.m.•24 views

Design/Logic Flaw

GLPI 0.83.7 has Local File Inclusion in common.tabs.php...

5CVSS6.9AI score0.12976EPSS

Exploits2References5Affected Software2

UbuntuCve•added 2019/07/10 2:15 p.m.•22 views

CVE-2019-13240

An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address...

5.9CVSS6.2AI score0.01747EPSS

Exploits1References6

Mageia•added 2018/06/05 9:42 p.m.•35 views

Updated glpi packages fix security vulnerability

Updated glpi package fixes security vulnerability: An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query string to front/preference.php. An attacker is able to create a malicious URL that, if opened by an authenticated user with debug privilege, will execu...

6.1CVSS2.6AI score0.01111EPSS

Exploits0References2

UbuntuCve•added 2017/07/28 5:29 a.m.•29 views

CVE-2017-11183

front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter...

5.5CVSS6.4AI score0.01309EPSS

Exploits0References3

NVD•added 2017/07/28 5:29 a.m.•26 views

CVE-2017-11183

front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter...

5.5CVSS4.8AI score0.01309EPSS

Exploits0References2