Glpi@10.0.0 Security Vulnerabilities and Issues — Glpi@10.0.0 CVE List

Lucene search

Glpi-projectGlpi10.0.0

21 matches found

CVE•added 2023/04/05 6:15 p.m.•74 views

CVE-2023-28849

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endp...

10CVSS6.9AI score0.00427EPSS

CVE•added 2023/12/13 7:15 p.m.•69 views

CVE-2023-46727

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

9.8CVSS9.6AI score0.23296EPSS

CVE•added 2023/09/27 3:19 p.m.•64 views

CVE-2023-42462

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10...

9.1CVSS8.5AI score0.00592EPSS

CVE•added 2023/04/05 6:15 p.m.•62 views

CVE-2023-28838

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Vers...

9.6CVSS8.7AI score0.00375EPSS

CVE•added 2023/01/26 9:18 p.m.•61 views

CVE-2023-22724

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS conten...

6.2CVSS5.2AI score0.00143EPSS

CVE•added 2023/01/26 9:18 p.m.•55 views

CVE-2023-22500

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthentica...

7.5CVSS7.4AI score0.00399EPSS

CVE•added 2023/01/26 9:18 p.m.•55 views

CVE-2023-22725

GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.

6.2CVSS5.5AI score0.00157EPSS

CVE•added 2023/01/26 9:18 p.m.•54 views

CVE-2023-22722

GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the vict...

6.8CVSS6.1AI score0.00215EPSS

CVE•added 2023/04/05 3:15 p.m.•53 views

CVE-2023-28632

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can...

8.1CVSS7.9AI score0.00209EPSS

CVE•added 2023/04/05 5:15 p.m.•52 views

CVE-2023-28634

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Supe...

8.8CVSS8.7AI score0.00242EPSS

CVE•added 2023/04/05 6:15 p.m.•52 views

CVE-2023-28639

GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixe...

6.1CVSS5.8AI score0.00967EPSS

CVE•added 2023/09/27 3:19 p.m.•51 views

CVE-2023-41320

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to take...

9.8CVSS9.4AI score0.00891EPSS

CVE•added 2023/09/27 3:19 p.m.•51 views

CVE-2023-42461

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised t...

9.8CVSS8.4AI score0.00986EPSS

CVE•added 2023/01/26 9:16 p.m.•49 views

CVE-2022-41941

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6.

6.2CVSS5.5AI score0.00081EPSS

CVE•added 2023/04/05 4:15 p.m.•49 views

CVE-2023-28633

GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature...

5.4CVSS4.8AI score0.00205EPSS

CVE•added 2023/04/05 6:15 p.m.•46 views

CVE-2023-28636

GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

4.8CVSS4.5AI score0.00383EPSS

CVE•added 2023/07/05 8:15 p.m.•46 views

CVE-2023-35924

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a worka...

9.8CVSS9.6AI score0.13541EPSS

CVE•added 2023/12/13 7:15 p.m.•46 views

CVE-2023-43813

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

8.8CVSS7.9AI score0.00391EPSS

CVE•added 2023/01/26 9:18 p.m.•43 views

CVE-2023-23610

GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including a...

6.5CVSS6.3AI score0.00144EPSS

CVE•added 2023/04/05 6:15 p.m.•39 views

CVE-2023-28852

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions...

4.8CVSS5AI score0.00403EPSS

CVE•added 2023/12/13 7:15 p.m.•34 views

CVE-2023-46726

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.

9.8CVSS8.8AI score0.00126EPSS