Glpi@9.1 Security Vulnerabilities and Issues — Glpi@9.1 CVE List

Lucene search

Glpi-projectGlpi9.1

4 matches found

CVE•added 2020/05/05 10:15 p.m.•93 views

CVE-2020-11033

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non acce...

7.2CVSS6.5AI score0.00446EPSS

Web

CVE•added 2022/11/03 3:15 p.m.•72 views

CVE-2022-39323

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been patched, please upg...

9.8CVSS9AI score0.01395EPSS

CVE•added 2021/09/15 5:15 p.m.•52 views

CVE-2021-39213

GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.

8.8CVSS7.6AI score0.00351EPSS

CVE•added 2019/07/04 3:15 p.m.•46 views

CVE-2019-13239

inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.

6.1CVSS5.8AI score0.00336EPSS