cbcvebase.

Glpi-Project Glpi vulnerabilities

202 known vulnerabilities affecting glpi-project/glpi.

Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3

Vulnerabilities

Page 8 of 11
CVE-2022-39276P4MEDIUMCVSS 5.3fixed in 10.0.42022-11-03
CVE-2022-39276 [MEDIUM] CWE-918 CVE-2022-39276: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit. In case a remote script returns a redirect response, the redirect target
nvd
CVE-2024-45611P4MEDIUMCVSS 5.4≥ 0.84, < 10.0.17v>= 0.84, < 10.0.172024-11-15
CVE-2024-45611 [MEDIUM] CWE-79 CVE-2024-45611: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.
nvd
CVE-2025-27514P4MEDIUMCVSS 5.4≥ 9.5.0, < 10.0.19v>= 9.5.0, < 10.0.192025-07-29
CVE-2025-27514 [MEDIUM] CWE-79 CVE-2025-27514: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19.
nvd
CVE-2022-21720P4MEDIUMCVSS 4.9fixed in 9.5.72022-01-28
CVE-2022-21720 [MEDIUM] CWE-89 CVE-2022-21720: GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administr GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability.
nvd
CVE-2025-52567P4MEDIUMCVSS 5.0≥ 0.84, < 10.0.19v>= 0.84, < 10.0.192025-07-30
CVE-2025-52567 [MEDIUM] CWE-918 CVE-2025-52567: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain sp
nvd
CVE-2020-15226P4MEDIUMCVSS 4.3fixed in 9.5.2v>= 9.1, < 9.5.22020-10-07
CVE-2020-15226 [MEDIUM] CWE-89 CVE-2020-15226: In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an
nvd
CVE-2021-3486P4MEDIUMCVSS 6.1v9.5.4vglpi 9.5.42021-05-26
CVE-2021-3486 [MEDIUM] CWE-79 CVE-2021-3486: GLPi 9.5.4 does not sanitize the metadata. This way its possible to insert XSS into plugins to execu GLPi 9.5.4 does not sanitize the metadata. This way its possible to insert XSS into plugins to execute JavaScript code.
nvd
CVE-2018-7563P4MEDIUMCVSS 6.1≤ 9.2.12018-03-12
CVE-2018-7563 [MEDIUM] CWE-79 CVE-2018-7563: An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query strin An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query string to front/preference.php. An attacker is able to create a malicious URL that, if opened by an authenticated user with debug privilege, will execute JavaScript code supplied by the attacker. The attacker-supplied code can perform a wide variety of action
nvd
CVE-2024-27914P4MEDIUMCVSS 6.1≥ 10.0.8, < 10.0.13v>= 10.0.8, < 10.0.132024-03-18
CVE-2024-27914 [MEDIUM] CWE-79 CVE-2024-27914: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This
nvd
CVE-2024-41678P4MEDIUMCVSS 6.1≥ 0.50, < 10.0.17v>= 0.50, < 10.0.172024-11-15
CVE-2024-41678 [MEDIUM] CWE-79 CVE-2024-41678: GLPI is a free asset and IT management software package. An unauthenticated user can provide a malic GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.
nvd
CVE-2024-43418P4MEDIUMCVSS 6.1≥ 0.65, < 10.0.17v>= 0.65, < 10.0.172024-11-15
CVE-2024-43418 [MEDIUM] CWE-79 CVE-2024-43418: GLPI is a free asset and IT management software package. An unauthenticated user can provide a malic GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.
nvd
CVE-2024-43417P4MEDIUMCVSS 6.1≥ 10.0.0, < 10.0.17v>= 10.0.0, < 10.0.172024-11-15
CVE-2024-43417 [MEDIUM] CWE-79 CVE-2024-43417: GLPI is a free asset and IT management software package. An unauthenticated user can provide a malic GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Software form. Upgrade to 10.0.17.
nvd
CVE-2020-15217P4MEDIUMCVSS 5.3≥ 9.5.0, < 9.5.2v>= 9.5.0, < 9.5.22020-10-07
CVE-2020-15217 [MEDIUM] CWE-79 CVE-2020-15217: In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The iss In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
nvd
CVE-2022-24869P4MEDIUMCVSS 5.4≤ 0.90v>= 0.90, < 10.0.02022-04-21
CVE-2022-24869 [MEDIUM] CWE-79 CVE-2022-24869: GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, l GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors securi
nvd
CVE-2022-24868P4MEDIUMCVSS 5.4fixed in 10.0.02022-04-21
CVE-2022-24868 [MEDIUM] CWE-79 CVE-2022-24868: GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, l GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripti
nvd
CVE-2022-31187P4MEDIUMCVSS 5.4fixed in 10.0.3v>= 10.0.0, < 10.0.32022-09-14
CVE-2022-31187 [MEDIUM] CWE-79 CVE-2022-31187: GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Softwa GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions were found to not properly neutralize HTML tags in the global search context. Users are advised to upgrade to version 10.0.3 to resolve thi
nvd
CVE-2022-39375P4MEDIUMCVSS 5.4≥ 0.84, < 10.0.4v>= 0.84, < 10.0.42022-11-03
CVE-2022-39375 [MEDIUM] CWE-79 CVE-2022-39375: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to create a public RSS feed to inject malicious code in dashboards of other users. This issue has been patched, please upgrade to version
nvd
CVE-2022-31143P4MEDIUMCVSS 5.3fixed in 10.0.3v>=9.5.0, < 10.0.32022-09-14
CVE-2022-31143 [MEDIUM] CWE-200 CVE-2022-31143: GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Softwa GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). Note that passwords ar
nvd
CVE-2022-39372P4MEDIUMCVSS 5.4≥ 0.70, < 10.0.4v>= 0.70, < 10.0.42022-11-03
CVE-2022-39372 [MEDIUM] CWE-79 CVE-2022-39372: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Authenticated users may store malicious code in their account information. This issue has been patched, please upgrade to version 10.0.4. There are currentl
nvd
CVE-2012-4002P4MEDIUMCVSS 6.8≤ 0.83.2v0.5+47 more2012-10-09
CVE-2012-4002 [MEDIUM] CWE-352 CVE-2012-4002: Cross-site request forgery (CSRF) vulnerability in GLPI-PROJECT GLPI before 0.83.3 allows remote att Cross-site request forgery (CSRF) vulnerability in GLPI-PROJECT GLPI before 0.83.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
nvd
Glpi-Project Glpi vulnerabilities | cvebase