Lucene search

K

GLPI Security Vulnerabilities

cve
cve

CVE-2024-31456

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in...

7.7CVSS

7.8AI Score

0.0004EPSS

2024-05-07 02:15 PM
36
cve
cve

CVE-2024-29889

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in...

7.1CVSS

7.9AI Score

0.0004EPSS

2024-05-07 02:15 PM
32
cve
cve

CVE-2024-28240

The GLPI Agent is a generic management agent. A vulnerability that only affects GLPI-Agent installed on windows via MSI packaging can allow a local user to cause denial of agent service by replacing GLPI server url with a wrong url or disabling the service. Additionally, in the case the Deploy...

7.3CVSS

7.5AI Score

0.0004EPSS

2024-04-25 05:15 PM
25
cve
cve

CVE-2024-27937

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version...

6.5CVSS

7.2AI Score

0.0004EPSS

2024-03-18 04:15 PM
61
cve
cve

CVE-2024-28241

The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 to receive a patch. As a workaround, use the default installation folder which.....

7.3CVSS

7.5AI Score

0.0004EPSS

2024-04-25 05:15 PM
25
cve
cve

CVE-2024-27930

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version...

6.5CVSS

7AI Score

0.0004EPSS

2024-03-18 04:15 PM
59
cve
cve

CVE-2024-27104

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to....

4.5CVSS

6.3AI Score

0.0004EPSS

2024-03-18 05:15 PM
41
cve
cve

CVE-2024-27096

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in...

7.7CVSS

8.1AI Score

0.0004EPSS

2024-03-18 05:15 PM
44
cve
cve

CVE-2024-27914

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if.....

5.3CVSS

6.4AI Score

0.0004EPSS

2024-03-18 05:15 PM
36
cve
cve

CVE-2024-27098

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version...

6.4CVSS

7.4AI Score

0.001EPSS

2024-03-18 05:15 PM
36
cve
cve

CVE-2023-51446

GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to...

8.1CVSS

8AI Score

0.001EPSS

2024-02-01 06:15 PM
22
cve
cve

CVE-2024-23645

GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to...

6.1CVSS

6.6AI Score

0.001EPSS

2024-02-01 06:15 PM
15
cve
cve

CVE-2023-43813

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the...

8.8CVSS

8.4AI Score

0.001EPSS

2023-12-13 07:15 PM
10
cve
cve

CVE-2023-46726

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the...

9.8CVSS

8.4AI Score

0.001EPSS

2023-12-13 07:15 PM
6
cve
cve

CVE-2023-46727

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native...

9.8CVSS

8.4AI Score

0.001EPSS

2023-12-13 07:15 PM
30
cve
cve

CVE-2023-42802

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP....

9.8CVSS

7.5AI Score

0.001EPSS

2023-11-02 02:15 PM
17
cve
cve

CVE-2020-11034

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version...

6.1CVSS

6.5AI Score

0.005EPSS

2020-05-05 10:15 PM
59
cve
cve

CVE-2020-11036

In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges.....

5.4CVSS

5.8AI Score

0.001EPSS

2020-05-05 10:15 PM
59
cve
cve

CVE-2020-11033

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non...

7.2CVSS

7.1AI Score

0.002EPSS

2020-05-05 10:15 PM
61
cve
cve

CVE-2023-22724

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS...

4.8CVSS

4.8AI Score

0.001EPSS

2023-01-26 09:18 PM
25
cve
cve

CVE-2020-15175

In GLPI before version 9.5.2, the ?pluginimage.send.php? endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”.....

9.1CVSS

8.7AI Score

0.001EPSS

2020-10-07 07:15 PM
37
5
cve
cve

CVE-2020-11035

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version...

9.3CVSS

8.9AI Score

0.003EPSS

2020-05-05 10:15 PM
64
cve
cve

CVE-2022-39181

GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS). Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous...

6.1CVSS

6AI Score

0.001EPSS

2022-11-17 11:15 PM
36
4
cve
cve

CVE-2023-41322

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take...

8.8CVSS

8.9AI Score

0.001EPSS

2023-09-27 03:19 PM
22
cve
cve

CVE-2023-41326

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with...

8.8CVSS

8.6AI Score

0.001EPSS

2023-09-27 03:19 PM
21
cve
cve

CVE-2023-41888

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page.....

5.4CVSS

5.5AI Score

0.0005EPSS

2023-09-27 03:19 PM
20
cve
cve

CVE-2023-42462

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version...

9.1CVSS

9.1AI Score

0.0005EPSS

2023-09-27 03:19 PM
34
cve
cve

CVE-2023-41323

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There.....

5.3CVSS

6.2AI Score

0.001EPSS

2023-09-27 03:19 PM
34
cve
cve

CVE-2023-41320

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to...

9.8CVSS

9.8AI Score

0.001EPSS

2023-09-27 03:19 PM
18
cve
cve

CVE-2023-41321

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are...

6.5CVSS

6.4AI Score

0.0005EPSS

2023-09-27 03:19 PM
2119
cve
cve

CVE-2023-41324

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to....

8.8CVSS

8.4AI Score

0.001EPSS

2023-09-27 03:19 PM
2124
cve
cve

CVE-2023-42461

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised.....

9.8CVSS

9.7AI Score

0.001EPSS

2023-09-27 03:19 PM
20
cve
cve

CVE-2021-30144

The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboard/front/main2.php can be...

4.3CVSS

4.7AI Score

0.001EPSS

2021-04-06 05:15 AM
31
2
cve
cve

CVE-2023-37278

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version...

9.1CVSS

9.5AI Score

0.001EPSS

2023-07-13 11:15 PM
36
cve
cve

CVE-2023-34106

GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should...

6.5CVSS

6.4AI Score

0.0005EPSS

2023-07-05 06:15 PM
76
cve
cve

CVE-2023-35940

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this...

7.5CVSS

7.6AI Score

0.001EPSS

2023-07-05 09:15 PM
14
cve
cve

CVE-2023-34244

GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8.....

6.1CVSS

6AI Score

0.001EPSS

2023-07-05 08:15 PM
88
cve
cve

CVE-2023-35939

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version...

8.1CVSS

7.9AI Score

0.001EPSS

2023-07-05 09:15 PM
92
cve
cve

CVE-2023-35924

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a...

9.8CVSS

9.7AI Score

0.001EPSS

2023-07-05 08:15 PM
21
cve
cve

CVE-2023-36808

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native.....

9.8CVSS

9.7AI Score

0.001EPSS

2023-07-05 09:15 PM
24
cve
cve

CVE-2023-34107

GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this...

6.5CVSS

6.4AI Score

0.0005EPSS

2023-07-05 08:15 PM
91
cve
cve

CVE-2023-34254

The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In....

7.2CVSS

7AI Score

0.001EPSS

2023-06-23 09:15 PM
22
cve
cve

CVE-2022-39370

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Connected users may gain access to debug panel through the GLPI update script. This issue has been...

4.3CVSS

6.9AI Score

0.001EPSS

2022-11-03 04:15 PM
17
cve
cve

CVE-2021-21327

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to...

7.5CVSS

7.3AI Score

0.019EPSS

2021-03-08 05:15 PM
55
cve
cve

CVE-2022-34128

The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to...

9.8CVSS

9.8AI Score

0.016EPSS

2023-04-16 03:15 AM
22
2
cve
cve

CVE-2022-34125

front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file...

6.5CVSS

6.2AI Score

0.01EPSS

2023-04-16 03:15 AM
19
cve
cve

CVE-2022-34126

The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file...

7.5CVSS

7.5AI Score

0.001EPSS

2023-04-16 03:15 AM
226
2
cve
cve

CVE-2022-34127

The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file...

7.5CVSS

7.5AI Score

0.023EPSS

2023-04-16 03:15 AM
227
2
cve
cve

CVE-2023-28639

GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is...

6.1CVSS

6.3AI Score

0.001EPSS

2023-04-05 06:15 PM
27
cve
cve

CVE-2023-28852

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard....

4.8CVSS

6.1AI Score

0.001EPSS

2023-04-05 06:15 PM
18
Total number of security vulnerabilities146