Lucene search

K
Glpi-projectGlpi

31 matches found

CVE
CVE
added 2023/09/27 3:19 p.m.2498 views

CVE-2023-41324

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to ...

8.8CVSS8.2AI score0.00326EPSS
CVE
CVE
added 2023/07/05 9:15 p.m.125 views

CVE-2023-35939

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8...

8.1CVSS8AI score0.0018EPSS
CVE
CVE
added 2024/12/11 4:15 p.m.81 views

CVE-2024-47758

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.

8.8CVSS6.6AI score0.00151EPSS
CVE
CVE
added 2024/05/07 2:15 p.m.80 views

CVE-2024-29889

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

8.1CVSS7.4AI score0.51856EPSS
CVE
CVE
added 2024/12/11 5:15 p.m.78 views

CVE-2024-47760

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

8.8CVSS6.8AI score0.00112EPSS
CVE
CVE
added 2025/03/18 7:15 p.m.70 views

CVE-2025-24801

GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.

8.5CVSS8.4AI score0.00018EPSS
CVE
CVE
added 2024/03/15 7:15 a.m.68 views

CVE-2024-27756

GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title.

8.8CVSS6.9AI score0.00083EPSS
CVE
CVE
added 2022/06/09 8:15 p.m.67 views

CVE-2022-29250

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on search pages. In order to exploit this vulnerability a user mus...

8.1CVSS7.1AI score0.00236EPSS
CVE
CVE
added 2025/03/18 7:15 p.m.59 views

CVE-2025-21619

GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.

8.2CVSS7.3AI score0.00036EPSS
CVE
CVE
added 2019/09/25 8:15 p.m.57 views

CVE-2019-14666

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user....

8.8CVSS8.7AI score0.02999EPSS
CVE
CVE
added 2020/10/07 7:15 p.m.56 views

CVE-2020-15177

In GLPI before version 9.5.2, the install/install.php endpoint insecurely stores user input into the database as url_base and url_base_api. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication ...

8CVSS6.6AI score0.00305EPSS
CVE
CVE
added 2024/07/10 8:15 p.m.56 views

CVE-2024-37149

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

8.8CVSS7AI score0.00117EPSS
CVE
CVE
added 2023/09/27 3:19 p.m.55 views

CVE-2023-41322

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take con...

8.8CVSS7AI score0.00206EPSS
CVE
CVE
added 2024/11/15 6:15 p.m.55 views

CVE-2024-40638

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

8.8CVSS8.6AI score0.00137EPSS
CVE
CVE
added 2020/10/07 7:15 p.m.54 views

CVE-2020-15176

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, perso...

8.7CVSS8.6AI score0.00281EPSS
CVE
CVE
added 2023/09/27 3:19 p.m.54 views

CVE-2023-41326

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with steali...

8.8CVSS8.4AI score0.00223EPSS
CVE
CVE
added 2024/11/15 7:15 p.m.53 views

CVE-2024-45608

GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.

8.8CVSS7.2AI score0.00137EPSS
CVE
CVE
added 2024/12/11 5:15 p.m.52 views

CVE-2024-48912

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.

8.1CVSS6.4AI score0.00125EPSS
CVE
CVE
added 2024/11/15 7:15 p.m.51 views

CVE-2024-41679

GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.

8.8CVSS7AI score0.00146EPSS
CVE
CVE
added 2023/04/05 3:15 p.m.50 views

CVE-2023-28632

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can...

8.1CVSS7.9AI score0.00209EPSS
CVE
CVE
added 2023/04/05 5:15 p.m.50 views

CVE-2023-28634

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Supe...

8.8CVSS8.7AI score0.00235EPSS
CVE
CVE
added 2021/09/15 5:15 p.m.49 views

CVE-2021-39213

GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.

8.8CVSS7.6AI score0.00351EPSS
CVE
CVE
added 2024/02/01 6:15 p.m.48 views

CVE-2023-51446

GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.

8.1CVSS8.3AI score0.00568EPSS
CVE
CVE
added 2024/07/10 8:15 p.m.48 views

CVE-2024-37148

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade ...

8.1CVSS8.3AI score0.00111EPSS
CVE
CVE
added 2022/11/03 2:15 p.m.47 views

CVE-2022-39234

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue...

8.8CVSS6.4AI score0.00129EPSS
CVE
CVE
added 2023/12/13 7:15 p.m.45 views

CVE-2023-43813

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

8.8CVSS7.9AI score0.00391EPSS
CVE
CVE
added 2017/07/20 4:29 a.m.43 views

CVE-2017-11475

GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.

8.8CVSS9.6AI score0.00232EPSS
CVE
CVE
added 2018/07/02 11:29 a.m.42 views

CVE-2018-13049

The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php.

8.8CVSS8.5AI score0.00281EPSS
CVE
CVE
added 2019/03/27 5:29 p.m.39 views

CVE-2019-10233

Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie.

8.1CVSS8AI score0.00433EPSS
CVE
CVE
added 2021/09/15 4:15 p.m.37 views

CVE-2021-39209

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. Ther...

8.8CVSS8.7AI score0.00137EPSS
CVE
CVE
added 2017/07/19 1:29 p.m.33 views

CVE-2016-7507

Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application.

8CVSS7.5AI score0.0016EPSS