Glpi-Project Glpi vulnerabilities
202 known vulnerabilities affecting glpi-project/glpi.
Total CVEs
202
CISA KEV
1
actively exploited
Public exploits
15
Exploited in wild
3
Severity breakdown
CRITICAL27HIGH59MEDIUM113LOW3
Vulnerabilities
Page 9 of 11
CVE-2021-21313P4MEDIUMCVSS 6.1fixed in 9.5.42021-03-03
CVE-2021-21313 [MEDIUM] CWE-74 CVE-2021-21313: GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Fr
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not properly sanitized. Here are two payloads (due to two diff
nvd
CVE-2020-15177P4MEDIUMCVSS 6.1fixed in 9.5.2v>= 0.65, < 9.5.22020-10-07
CVE-2020-15177 [MEDIUM] CWE-79 CVE-2020-15177: In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into t
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone
nvd
CVE-2023-22722P4MEDIUMCVSS 6.1≥ 9.4.0, < 9.5.12≥ 10.0.0, < 10.0.6+1 more2023-01-26
CVE-2023-22722 [MEDIUM] CWE-79 CVE-2023-22722: GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 a
GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patch
nvd
CVE-2011-2720P4MEDIUMCVSS 5.0≤ 0.80.1v0.5+31 more2011-08-05
CVE-2011-2720 [MEDIUM] CWE-200 CVE-2011-2720: The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and passw
The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request.
nvd
CVE-2019-1010307P4MEDIUMCVSS 5.4v9.3.12019-07-15
CVE-2019-1010307 [MEDIUM] CWE-79 CVE-2019-1010307: GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown valu
GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (XSS). The impact is: All dropdown values are vulnerable to XSS leading to privilege escalation and executing js on admin. The component is: /glpi/ajax/getDropDownValue.php. The attack vector is: 1- User Create a ticket , 2- Admin opens another ticket and click on the "Link Tickets" fea
nvd
CVE-2022-24876P4MEDIUMCVSS 5.4v10.0.0fixed in 10.0.12022-06-09
CVE-2022-24876 [MEDIUM] CWE-79 CVE-2022-24876: GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, l
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Kanban is a GLPI view to display Projects, Tickets, Changes or Problems on a task board. In versions prior to 10.0.1 a user can exploit a cross site scripting vulnerability in Kanban by injecting HTML code in its
nvd
CVE-2022-39371P4MEDIUMCVSS 5.4≥ 10.0.0, < 10.0.4v>= 10.0.0, < 10.0.42022-11-03
CVE-2022-39371 [MEDIUM] CWE-80 CVE-2022-39371: GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Soft
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly neutralized. This issue has been patched, please upgrade to version 10.0.4. There
nvd
CVE-2019-13239P4MEDIUMCVSS 6.1≥ 9.1, < 9.4.32019-07-04
CVE-2019-13239 [MEDIUM] CWE-79 CVE-2019-13239: inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.
inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.
nvd
CVE-2020-11036P4MEDIUMCVSS 5.4fixed in 9.4.62020-05-05
CVE-2020-11036 [MEDIUM] CWE-79 CVE-2020-11036: In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is v
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "alert(1)" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by a
nvd
CVE-2012-1105P4MEDIUMCVSS 5.5≥ 0, < 0.84.3+dfsg.1-12019-12-05
CVE-2012-1105 [MEDIUM] CVE-2012-1105: An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
osv
CVE-2021-21258P4MEDIUMCVSS 5.4≥ 9.5.0, < 9.5.4v>= 9.5.0, < 9.5.42021-03-02
CVE-2021-21258 [MEDIUM] CWE-79 CVE-2021-21258: GLPI is an open-source asset and IT management software package that provides ITIL Service Desk feat
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using ajax/kanban.php. This is fixed in version 9.5.4.
nvd
CVE-2025-64520P4MEDIUMCVSS 4.3≥ 9.1.0, < 10.0.21v>= 9.1.0, < 10.0.212025-12-16
CVE-2025-64520 [MEDIUM] CWE-862 CVE-2025-64520: GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to vers
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
nvd
CVE-2022-21719P4MEDIUMCVSS 6.1fixed in 9.5.72022-01-28
CVE-2022-21719 [MEDIUM] CWE-79 CVE-2022-21719: GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulner
GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds.
nvd
CVE-2014-5032P4MEDIUMCVSS 5.0≤ 0.84.62015-04-14
CVE-2014-5032 [MEDIUM] CWE-264 CVE-2014-5032: GLPI before 0.84.7 does not properly restrict access to cost information, which allows remote attack
GLPI before 0.84.7 does not properly restrict access to cost information, which allows remote attackers to obtain sensitive information via the cost criteria in the search bar.
nvdosv
CVE-2020-11062P4MEDIUMCVSS 5.4≥ 0.68.1, < 9.4.62020-05-12
CVE-2020-11062 [MEDIUM] CWE-79 CVE-2020-11062: In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an
In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.
nvd
CVE-2026-32312P4MEDIUMCVSS 4.3≥ 11.0.0, < 11.0.7v>= 11.0.0, < 11.0.72026-05-19
CVE-2026-32312 [MEDIUM] CWE-862 CVE-2026-32312: GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authe
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.
nvd
CVE-2025-53112P4MEDIUMCVSS 4.3≥ 9.1.0, < 10.0.19v>= 9.1.0, < 10.0.192025-07-30
CVE-2025-53112 [MEDIUM] CWE-284 CVE-2025-53112: GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, l
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19.
nvd
CVE-2016-7509P4MEDIUMCVSS 5.4v0.90.42017-07-19
CVE-2016-7509 [MEDIUM] CWE-79 CVE-2016-7509: Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inj
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.
nvd
CVE-2024-27104P4MEDIUMCVSS 4.8≥ 9.5.0, < 10.0.13v>= 9.5.0, < 10.0.132024-03-18
CVE-2024-27104 [MEDIUM] CWE-79 CVE-2024-27104: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk,
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version
nvd
CVE-2023-28852P4MEDIUMCVSS 4.8≥ 9.5.0, < 9.5.13≥ 10.0.0, < 10.0.7+2 more2023-04-05
CVE-2023-28852 [MEDIUM] CWE-79 CVE-2023-28852: GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to vers
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
nvd