Glpi-Project Glpi vulnerabilities

CVE-2023-36808 [CRITICAL] CWE-89 CVE-2023-36808: GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

CVE-2023-35940 [HIGH] CWE-284 CVE-2023-35940: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.

CVE-2023-35939 [HIGH] CWE-284 CVE-2023-35939: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.

CVE-2023-34106 [MEDIUM] CWE-284 CVE-2023-34106: GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.

CVE-2023-34107 [MEDIUM] CWE-284 CVE-2023-34107: GLPI is a free asset and IT management software package. Versions of the software starting with 9.2. GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.

CVE-2023-34244 [MEDIUM] CWE-79 CVE-2023-34244: GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch.

CVE-2023-28838 [HIGH] CWE-89 CVE-2023-28838: GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

CVE-2023-28632 [HIGH] CWE-269 CVE-2023-28632: GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notification

CVE-2023-28634 [HIGH] CWE-285 CVE-2023-28634: GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation.

CVE-2023-28639 [MEDIUM] CWE-79 CVE-2023-28639: GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7.

CVE-2023-28633 [MEDIUM] CWE-918 CVE-2023-28633: GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and

CVE-2023-28852 [MEDIUM] CWE-79 CVE-2023-28852: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

CVE-2023-28849 [MEDIUM] CWE-79 CVE-2023-28849: GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to ver GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 conta

CVE-2023-28636 [MEDIUM] CWE-79 CVE-2023-28636: GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versi GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

CVE-2023-22500 [HIGH] CWE-863 CVE-2023-22500: GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As

CVE-2023-23610 [MEDIUM] CWE-269 CVE-2023-23610: GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vul GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched i

CVE-2023-22722 [MEDIUM] CWE-79 CVE-2023-22722: GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 a GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patch

CVE-2023-22724 [MEDIUM] CWE-79 CVE-2023-22724: GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cro GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript.

CVE-2022-41941 [MEDIUM] CWE-79 CVE-2022-41941: GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6.

CVE-2023-22725 [MEDIUM] CWE-79 CVE-2023-22725: GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 a GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.