Lucene search

K

39 matches found

CVE
CVE
added 2022/09/14 6:15 p.m.267 views

CVE-2022-35946

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In affected versions request input is not properly validated in the plugin controller and can be used to...

6.5CVSS6.1AI score0.00366EPSS
Web
CVE
CVE
added 2022/09/14 6:15 p.m.264 views

CVE-2022-35947

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could lev...

10CVSS9.9AI score0.00172EPSS
CVE
CVE
added 2020/05/12 8:15 p.m.134 views

CVE-2020-11060

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account havin...

9CVSS7.9AI score0.06126EPSS
Web
CVE
CVE
added 2020/05/05 10:15 p.m.98 views

CVE-2020-11034

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

6.1CVSS6.2AI score0.42861EPSS
CVE
CVE
added 2020/11/26 5:15 p.m.95 views

CVE-2020-27662

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

4.3CVSS4.6AI score0.00231EPSS
Web
CVE
CVE
added 2022/04/21 5:15 p.m.94 views

CVE-2022-24867

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the r...

7.8CVSS7.6AI score0.00342EPSS
CVE
CVE
added 2020/11/26 5:15 p.m.93 views

CVE-2020-27663

In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

4.3CVSS4.6AI score0.00231EPSS
CVE
CVE
added 2021/03/08 5:15 p.m.90 views

CVE-2021-21325

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a cross-site scripting atta...

6.2CVSS5.2AI score0.00508EPSS
CVE
CVE
added 2021/03/08 5:15 p.m.88 views

CVE-2021-21327

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to ca...

7.5CVSS6.8AI score0.003EPSS
Web
CVE
CVE
added 2020/05/05 10:15 p.m.83 views

CVE-2020-11036

In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "" reproduces the attack. This can be exploited by a user with administrator privileges in the Us...

7.6CVSS6.1AI score0.00789EPSS
CVE
CVE
added 2022/04/21 5:15 p.m.78 views

CVE-2022-24868

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewi...

7.3CVSS6.1AI score0.00268EPSS
CVE
CVE
added 2022/01/28 10:15 a.m.75 views

CVE-2022-21719

GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds.

6.1CVSS6AI score0.00307EPSS
CVE
CVE
added 2022/01/28 11:15 a.m.70 views

CVE-2022-21720

GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the Entities update right prevents exploitation o...

4.9CVSS5.8AI score0.00407EPSS
CVE
CVE
added 2020/10/07 7:15 p.m.67 views

CVE-2020-15175

In GLPI before version 9.5.2, the ​pluginimage.send.php​ endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. ...

9.1CVSS7.9AI score0.09825EPSS
Web
CVE
CVE
added 2020/11/25 5:15 p.m.67 views

CVE-2020-26212

GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of eve...

7.7CVSS6.4AI score0.00285EPSS
CVE
CVE
added 2025/02/25 4:15 p.m.67 views

CVE-2025-21627

GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains...

6.5CVSS6.4AI score0.00107EPSS
CVE
CVE
added 2023/07/13 11:15 p.m.66 views

CVE-2023-37278

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.

9.1CVSS8.3AI score0.00221EPSS
CVE
CVE
added 2022/11/03 2:15 p.m.64 views

CVE-2022-39276

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit. In case a remote scr...

5.3CVSS4.9AI score0.00118EPSS
CVE
CVE
added 2022/09/14 6:15 p.m.63 views

CVE-2022-36112

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can ...

5.8CVSS5AI score0.0026EPSS
CVE
CVE
added 2025/02/25 6:15 p.m.62 views

CVE-2025-25192

GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the install/update.php file.

6.5CVSS6.7AI score0.00087EPSS
CVE
CVE
added 2022/09/14 6:15 p.m.60 views

CVE-2022-35945

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Information associated to registration key are not properly escaped in registration key configuration pa...

6.3CVSS6.5AI score0.00234EPSS
CVE
CVE
added 2020/10/07 7:15 p.m.57 views

CVE-2020-15177

In GLPI before version 9.5.2, the install/install.php endpoint insecurely stores user input into the database as url_base and url_base_api. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication ...

8CVSS6.6AI score0.00305EPSS
Web
CVE
CVE
added 2020/10/07 7:15 p.m.55 views

CVE-2020-15176

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, perso...

8.7CVSS8.6AI score0.00281EPSS
CVE
CVE
added 2020/10/07 8:15 p.m.53 views

CVE-2020-15226

In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scen...

5CVSS5.2AI score0.00293EPSS
CVE
CVE
added 2020/05/12 4:15 p.m.53 views

CVE-2020-5248

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must...

7.2CVSS5.4AI score0.02836EPSS
CVE
CVE
added 2021/03/03 8:15 p.m.51 views

CVE-2021-21313

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not prope...

6.1CVSS5.7AI score0.00388EPSS
Web
CVE
CVE
added 2022/09/14 6:15 p.m.51 views

CVE-2022-31187

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions were found to not properly neutralize HTML tags in the global search context. Users ar...

6.8CVSS5.9AI score0.00316EPSS
CVE
CVE
added 2022/09/14 6:15 p.m.50 views

CVE-2022-31143

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. It was found that in affected versions there is an exposure of private information defined in setup of G...

5.3CVSS5.5AI score0.00157EPSS
CVE
CVE
added 2022/11/03 2:15 p.m.50 views

CVE-2022-39234

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue...

8.8CVSS6.4AI score0.00172EPSS
CVE
CVE
added 2020/07/17 9:15 p.m.49 views

CVE-2020-15108

In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

7.1CVSS7.3AI score0.00341EPSS
CVE
CVE
added 2021/03/03 8:15 p.m.49 views

CVE-2021-21314

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.

5.4CVSS5.2AI score0.00321EPSS
CVE
CVE
added 2021/03/08 5:15 p.m.49 views

CVE-2021-21324

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an unauthorized user the abili...

6.8CVSS6.6AI score0.00312EPSS
Web
CVE
CVE
added 2021/03/03 8:15 p.m.44 views

CVE-2021-21312

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/docume...

5.4CVSS5.4AI score0.00321EPSS
Web
CVE
CVE
added 2021/09/15 5:15 p.m.43 views

CVE-2021-39210

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue ...

6.5CVSS6.3AI score0.00329EPSS
CVE
CVE
added 2020/09/23 4:15 p.m.42 views

CVE-2020-11031

In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library ...

7.8CVSS7.4AI score0.00055EPSS
CVE
CVE
added 2021/03/08 5:15 p.m.41 views

CVE-2021-21326

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems enabled. This is fi...

7.7CVSS6.5AI score0.00211EPSS
CVE
CVE
added 2019/03/27 5:29 p.m.40 views

CVE-2019-10233

Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie.

8.1CVSS8AI score0.00433EPSS
CVE
CVE
added 2019/07/10 2:15 p.m.40 views

CVE-2019-13240

An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.

5.9CVSS5.6AI score0.00544EPSS
CVE
CVE
added 2021/09/15 4:15 p.m.39 views

CVE-2021-39209

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. Ther...

8.8CVSS8.7AI score0.00137EPSS