Glpi-Project Glpi vulnerabilities
202 known vulnerabilities affecting glpi-project/glpi.
Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3
Vulnerabilities
Page 1 of 11
CVE-2022-35914P1CRITICALCVSS 9.8KEVPoC≤ 10.0.22022-09-19
CVE-2022-35914 [CRITICAL] CWE-74 CVE-2022-35914: /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
nvd
CVE-2025-24799P1CRITICALCVSS 9.8ExploitedPoC≥ 10.0.0, < 10.0.18v>= 10.0.0, < 10.0.182025-03-18
CVE-2025-24799 [CRITICAL] CWE-89 CVE-2025-24799: GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL i
GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
nvd
CVE-2021-39211P2MEDIUMCVSS 5.3ExploitedPoC≥ 9.2, < 9.5.6v>= 9.2, < 9.5.62021-09-15
CVE-2021-39211 [MEDIUM] CWE-200 CVE-2021-39211: GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to versio
GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI.
nvd
CVE-2024-29889P2HIGHCVSS 8.1PoC≥ 10.0.10, < 10.0.15fixed in 10.0.152024-05-07
CVE-2024-29889 [HIGH] CWE-89 CVE-2024-29889: GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.
nvd
CVE-2022-31056P2CRITICALCVSS 9.8PoC≥ 10.0.0, < 10.0.2v>= 10.0.0, < 10.0.22022-06-28
CVE-2022-31056 [CRITICAL] CWE-89 CVE-2022-31056: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.
nvd
CVE-2020-11060P2HIGHCVSS 8.8PoCfixed in 9.4.62020-05-12
CVE-2020-11060 [HIGH] CWE-74 CVE-2020-11060: In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. T
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI netw
nvd
CVE-2023-35924P2CRITICALCVSS 9.8≥ 10.0.0, < 10.0.8v>= 10.0.0, < 10.0.82023-07-05
CVE-2023-35924 [CRITICAL] CWE-89 CVE-2023-35924: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to ver
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.
nvd
CVE-2023-46727P2CRITICALCVSS 9.8≥ 10.0.0, < 10.0.11v>= 10.0.0, < 10.0.112023-12-13
CVE-2023-46727 [CRITICAL] CWE-89 CVE-2023-46727: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to ver
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.
nvd
CVE-2023-36808P2CRITICALCVSS 9.8≥ 0.80, < 10.0.8v>= 0.80, < 10.0.82023-07-05
CVE-2023-36808 [CRITICAL] CWE-89 CVE-2023-36808: GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to versi
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.
nvd
CVE-2021-44617P2CRITICALCVSS 9.8PoCv9.4.62022-03-28
CVE-2021-44617 [CRITICAL] CWE-89 CVE-2021-44617: A SQL Injection vulnerability exits in the Ramo plugin for GLPI 9.4.6 via the idu parameter in plugi
A SQL Injection vulnerability exits in the Ramo plugin for GLPI 9.4.6 via the idu parameter in plugins/ramo/ramoapirest.php/getOutdated.
nvd
CVE-2022-31061P2CRITICALCVSS 9.8≥ 9.3.0, < 9.5.8≥ 10.0.0, < 10.0.2+2 more2022-06-28
CVE-2022-31061 [CRITICAL] CWE-89 CVE-2022-31061: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. The
nvd
CVE-2024-27098P2CRITICALCVSS 9.6≥ 9.5.0, < 10.0.13v>= 9.5.0, < 10.0.132024-03-18
CVE-2024-27098 [CRITICAL] CWE-918 CVE-2024-27098: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.
nvd
CVE-2022-39323P2CRITICALCVSS 9.8≥ 9.1, < 10.0.4fixed in 10.0.42022-11-03
CVE-2022-39323 [CRITICAL] CWE-89 CVE-2022-39323: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been patched, please upgrade to version 10.0.4. As a workaround, disable lo
nvd
CVE-2020-15175P2CRITICALCVSS 9.1fixed in 9.5.22020-10-07
CVE-2020-15175 [CRITICAL] CWE-552 CVE-2020-15175: In GLPI before version 9.5.2, the `pluginimage.send.php` endpoint allows a user to specify an imag
In GLPI before version 9.5.2, the `pluginimage.send.php` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compro
nvd
CVE-2013-2227P3HIGHCVSS 7.5PoCv0.83.72019-11-01
CVE-2013-2227 [HIGH] CWE-20 CVE-2013-2227: GLPI 0.83.7 has Local File Inclusion in common.tabs.php.
GLPI 0.83.7 has Local File Inclusion in common.tabs.php.
nvdosv
CVE-2023-41320P2CRITICALCVSS 9.8≥ 10.0.0, < 10.0.10v>= 10.0.0, < 10.0.102023-09-27
CVE-2023-41320 [CRITICAL] CWE-89 CVE-2023-41320: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to
nvd
CVE-2024-40638P2HIGHCVSS 8.8≥ 0.85, < 10.0.17v>= 0.85, < 10.0.172024-11-15
CVE-2024-40638 [HIGH] CWE-89 CVE-2024-40638: GLPI is a free asset and IT management software package. An authenticated user can exploit multiple
GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.
nvd
CVE-2016-7508P3HIGHCVSS 7.5PoCv0.90.42017-06-21
CVE-2016-7508 [HIGH] CWE-89 CVE-2016-7508: Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to exec
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.
nvd
CVE-2023-43813P2HIGHCVSS 8.8≥ 10.0.0, < 10.0.11v>= 10.0.0, < 10.0.112023-12-13
CVE-2023-43813 [HIGH] CWE-89 CVE-2023-43813: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to ver
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.
nvd
CVE-2023-41326P2HIGHCVSS 8.8≥ 9.5.0, < 10.0.10v>= 9.5.0, < 10.0.102023-09-27
CVE-2023-41326 [HIGH] CWE-269 CVE-2023-41326: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software p
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to versio
nvd
1 / 11Next →