CVE-2019-12723

An issue was discovered in the Teclib Fields plugin through 1.9.2 for GLPI. it allows SQL Injection via containerid and oldorder parameters to ajax/reorder.php by an unauthenticated user...

EUVD-2014-8197

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2020-27662

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference IDOR vulnerability that allows an attacker to read data from any database table...

CVE-2024-56801

Tasklists provides plugin tasklists for GLPI. Versions prior to 2.0.4 have a blind SQL injection vulnerability. Version 2.0.4 contains a patch for the vulnerability...

CVE-2024-11955

A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been...

CVE-2025-21626 GLPI vulnerable to exposure of sensitive information in the `status.php` endpoint

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the status.php endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the status.p...

CVE-2024-56801

Tasklists provides plugin tasklists for GLPI. Versions prior to 2.0.4 have a blind SQL injection vulnerability. Version 2.0.4 contains a patch for the vulnerability...

CVE-2024-56801 Tasklists has Blind SQL Injection in /ajax/reorder.php

Tasklists provides plugin tasklists for GLPI. Versions prior to 2.0.4 have a blind SQL injection vulnerability. Version 2.0.4 contains a patch for the vulnerability...

PT-2024-10109 · Glpi +1 · Glpi +1

Name of the Vulnerable Software and Affected Versions: GLPI versions prior to 10.0.17 Description: The issue is related to a lack of protection against SQL injection attacks. An authenticated user can perform a SQL injection by changing their preferences. This could allow a remote attacker to...

SQL Injection

Description GLPI 10.0.8 and are affected by an SQL injection on the page ajax/dashboard.php Proof of Concept I can provide you the POC written in python3.5 or higher. Just provide me a way to send it to you. Tested under the following environment: - Ubuntu 20.04 - GLPI 10.0.8 and 10.0.7 - Mysql...

CVE-2022-34128

The Cartography aka positions plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php...

GLPI 9.1 < 9.5.6 Rest API IP Restriction Bypass

GLPI in version 9.1 9.5.6 with API Rest enabled is vulnerable to API bypass with custom header injection. No source data...

Security fix for the ALT Linux 10 package glpi version 9.5.10-alt1

Nov. 4, 2022 Pavel Zilke 9.5.10-alt1 - New version 9.5.10 - This release fixes several security issues that has been recently discovered. Update is recommended! - Security fixes: + CVE-2022-39276 : Blind SSRF in RSS feeds and planning + CVE-2022-39372 : Stored XSS in user information +...

Security fix for the ALT Linux 9 package glpi version 9.5.9-alt1

9.5.9-alt1 built Sept. 23, 2022 Pavel Zilke in task 307140 Sept. 14, 2022 Pavel Zilke - New version 9.5.9 - This release fixes several critical security issues that has been recently discovered. Update is strongly recommended! - Security fixes: + CVE-2022-35945 : XSS through registration API +...

VulnCheck KEV: CVE-2021-43778

Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the front/send.php file...

Security fix for the ALT Linux 9 package glpi version 9.5.7-alt1

9.5.7-alt1 built March 21, 2022 Pavel Zilke in task 296878 Jan. 27, 2022 Pavel Zilke - New version 9.5.7 - This is a security release, upgrading is recommended - Security fixes: + CVE-2022-21720 : SQL injection using custom CSS administration form + CVE-2022-21719 : Reflected XSS using reload but...

Security fix for the ALT Linux 10 package glpi version 9.5.7-alt1

9.5.7-alt1 built March 18, 2022 Pavel Zilke in task 296717 Jan. 27, 2022 Pavel Zilke - New version 9.5.7 - This is a security release, upgrading is recommended - Security fixes: + CVE-2022-21720 : SQL injection using custom CSS administration form + CVE-2022-21719 : Reflected XSS using reload but...

PT-2021-20707 · Glpi +1 · Glpi +1

Name of the Vulnerable Software and Affected Versions: GLPi version 9.5.4 Description: The issue allows for the insertion of XSS into plugins, enabling the execution of JavaScript code due to the lack of metadata sanitization. Recommendations: For GLPi version 9.5.4, update to a version that...

Security fix for the ALT Linux 10 package glpi version 9.5.2-alt1

Oct. 26, 2020 Pavel Zilke 9.5.2-alt1 - New version 9.5.2 - Security fixes: + CVE-2020-15176 : SQL injection with a query parameter of user form + CVE-2020-15175 : Removal of .htaccess file in the files folder via a plugin endpoint + CVE-2020-15217 : Leakage issue with knowledge base +...

Security fix for the ALT Linux 9 package glpi version 9.5.2-alt1

Oct. 26, 2020 Pavel Zilke 9.5.2-alt1 - New version 9.5.2 - Security fixes: + CVE-2020-15176 : SQL injection with a query parameter of user form + CVE-2020-15175 : Removal of .htaccess file in the files folder via a plugin endpoint + CVE-2020-15217 : Leakage issue with knowledge base +...