Glpi Security Vulnerabilities and Issues — Glpi CVE List

Lucene search

Glpi-projectGlpi

8 matches found

CVE•added 2023/04/05 6:15 p.m.•73 views

CVE-2023-28849

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endp...

10CVSS6.9AI score0.00427EPSS

CVE•added 2023/04/05 6:15 p.m.•59 views

CVE-2023-28838

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Vers...

9.6CVSS8.7AI score0.00365EPSS

CVE•added 2023/04/05 6:15 p.m.•51 views

CVE-2023-28639

GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixe...

6.1CVSS5.8AI score0.00967EPSS

CVE•added 2023/04/05 3:15 p.m.•50 views

CVE-2023-28632

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can...

8.1CVSS7.9AI score0.00209EPSS

CVE•added 2023/04/05 5:15 p.m.•50 views

CVE-2023-28634

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Supe...

8.8CVSS8.7AI score0.00235EPSS

CVE•added 2023/04/05 4:15 p.m.•48 views

CVE-2023-28633

GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature...

5.4CVSS4.8AI score0.00205EPSS

CVE•added 2023/04/05 6:15 p.m.•44 views

CVE-2023-28636

GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

4.8CVSS4.5AI score0.00383EPSS

CVE•added 2023/04/05 6:15 p.m.•37 views

CVE-2023-28852

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions...

4.8CVSS5AI score0.00403EPSS