Glpi

An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7.

Published: 2026-06-02T18:32:01.150Z
Updated: 2026-06-03T15:36:03.074Z

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.

Published: 2026-06-02T23:02:35.315Z
Updated: 2026-06-03T12:41:58.361Z

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.

Published: 2026-05-18T23:46:26.200Z
Updated: 2026-05-19T12:10:53.021Z

GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.

Published: 2026-04-06T14:39:15.996Z
Updated: 2026-04-07T13:06:57.659Z

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.

Published: 2026-04-06T14:36:57.028Z
Updated: 2026-04-07T03:55:42.069Z

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory endpoint. This vulnerability is fixed in 11.0.6.

Published: 2026-04-06T14:35:53.788Z
Updated: 2026-04-07T03:55:40.983Z

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

Published: 2026-04-06T14:33:05.188Z
Updated: 2026-04-07T03:55:39.862Z

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.

Published: 2026-03-17T23:16:38.069Z
Updated: 2026-03-19T03:55:19.142Z

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue.

Published: 2026-03-17T19:41:32.444Z
Updated: 2026-03-18T20:00:30.055Z

GLPI is a Free Asset and IT Management Software package. From 0.60 to before 10.0.24, an authenticated technician user can store an XSS payload in a supplier fields. This vulnerability is fixed in 10.0.24.

Published: 2026-04-06T14:31:02.319Z
Updated: 2026-04-07T13:07:09.230Z

GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .

Published: 2026-02-04T17:15:33.750Z
Updated: 2026-02-04T19:56:27.764Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. From 11.0.0 to before 11.0.5, an authenticated technician user can upload a malicious file and trigger its execution through an unsafe PHP instantiation. This vulnerability is fixed in 11.0.5.

Published: 2026-03-11T15:27:04.975Z
Updated: 2026-03-12T03:55:34.194Z

GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.

Published: 2026-02-04T17:10:30.153Z
Updated: 2026-02-05T14:33:19.799Z

GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23.

Published: 2026-02-04T17:15:39.205Z
Updated: 2026-02-04T19:27:43.406Z

GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3.

Published: 2026-01-15T16:25:03.467Z
Updated: 2026-01-15T16:45:31.206Z

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.

Published: 2025-12-16T21:59:02.772Z
Updated: 2025-12-17T21:09:17.003Z

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3.

Published: 2026-01-15T16:01:03.470Z
Updated: 2026-01-15T16:08:18.590Z

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch.

Published: 2025-12-16T16:34:46.251Z
Updated: 2025-12-16T17:15:24.435Z

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19.

Published: 2025-07-30T14:17:58.803Z
Updated: 2025-07-30T19:31:11.425Z

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19.

Published: 2025-07-30T14:16:36.631Z
Updated: 2025-07-30T19:30:40.525Z

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19.

Published: 2025-07-30T14:15:22.000Z
Updated: 2025-07-30T19:29:35.826Z

GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19.

Published: 2025-07-30T14:14:25.821Z
Updated: 2025-07-30T19:29:10.968Z

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19.

Published: 2025-08-27T14:40:36.061Z
Updated: 2025-08-27T14:53:44.518Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19.

Published: 2025-07-30T14:09:58.592Z
Updated: 2025-07-30T19:28:38.917Z

GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19.

Published: 2025-07-30T14:07:58.830Z
Updated: 2025-07-30T19:28:12.527Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19.

Published: 2025-07-30T14:07:14.643Z
Updated: 2025-07-30T19:27:34.141Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19.

Published: 2025-07-29T17:39:28.813Z
Updated: 2025-07-29T18:35:50.874Z

GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

Published: 2025-02-25T17:58:20.388Z
Updated: 2025-03-18T17:03:35.247Z

GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18.

Published: 2025-03-18T18:32:06.401Z
Updated: 2025-03-18T18:51:51.204Z

GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.

Published: 2025-03-18T18:27:54.631Z
Updated: 2025-03-18T18:53:35.088Z

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

Published: 2025-02-25T17:48:17.801Z
Updated: 2025-02-25T19:30:57.599Z

GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

Published: 2025-02-25T15:47:32.768Z
Updated: 2025-02-25T20:19:56.936Z

GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.

Published: 2025-02-25T15:43:34.919Z
Updated: 2025-02-25T19:12:43.921Z

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.

Published: 2025-02-25T15:37:27.689Z
Updated: 2025-02-25T15:48:58.424Z

GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.

Published: 2025-03-18T18:25:13.457Z
Updated: 2025-03-18T18:55:26.778Z

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Published: 2024-12-11T17:48:42.230Z
Updated: 2024-12-11T18:31:59.719Z

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.

Published: 2024-12-11T17:03:10.014Z
Updated: 2024-12-11T19:32:49.465Z

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Published: 2024-12-11T17:00:49.124Z
Updated: 2024-12-12T15:15:33.980Z

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Published: 2024-12-11T16:56:57.600Z
Updated: 2024-12-11T20:16:34.813Z

GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.

Published: 2024-11-15T17:42:00.532Z
Updated: 2024-11-21T14:55:31.413Z

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.

Published: 2024-12-11T15:50:22.285Z
Updated: 2024-12-11T17:10:22.033Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.

Published: 2024-11-15T20:16:18.459Z
Updated: 2024-11-19T14:13:31.675Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.

Published: 2024-11-15T20:14:33.893Z
Updated: 2024-11-15T21:10:37.523Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the reports pages. Upgrade to 10.0.17.

Published: 2024-11-15T20:02:33.302Z
Updated: 2024-11-15T21:11:16.977Z

GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.

Published: 2024-11-15T18:24:48.240Z
Updated: 2024-11-15T18:40:55.776Z

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

Published: 2024-11-15T18:23:32.376Z
Updated: 2024-11-15T18:41:14.709Z

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Software form. Upgrade to 10.0.17.

Published: 2024-11-15T18:22:03.977Z
Updated: 2024-11-15T18:41:33.591Z

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.

Published: 2024-11-18T16:27:06.243Z
Updated: 2024-11-18T18:34:01.203Z

GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.

Published: 2024-11-15T18:20:44.135Z
Updated: 2024-11-15T18:41:51.784Z

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

Published: 2024-11-15T18:08:46.836Z
Updated: 2024-11-15T18:21:52.262Z

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

Published: 2024-11-15T18:06:36.649Z
Updated: 2024-11-19T14:11:25.885Z

GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.

Published: 2024-11-15T21:12:56.606Z
Updated: 2024-11-18T19:02:59.188Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

Published: 2024-07-10T19:20:36.161Z
Updated: 2024-11-19T14:15:12.413Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.

Published: 2024-07-10T19:18:09.444Z
Updated: 2024-11-19T14:15:49.487Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.

Published: 2024-07-10T18:38:37.588Z
Updated: 2024-08-02T03:50:54.626Z

An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input.

Published: 2024-04-29T00:00:00.000Z
Updated: 2025-11-04T18:30:54.187Z

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15.

Published: 2024-05-07T14:07:08.277Z
Updated: 2024-08-02T01:52:56.947Z

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

Published: 2024-05-07T14:05:31.713Z
Updated: 2024-08-02T01:17:58.452Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.

Published: 2024-03-18T15:17:18.178Z
Updated: 2024-08-02T00:41:55.829Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.

Published: 2024-03-18T15:29:11.382Z
Updated: 2024-08-02T15:26:25.744Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

Published: 2024-03-18T16:19:00.298Z
Updated: 2024-08-02T15:25:55.247Z

GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title.

Published: 2024-03-15T00:00:00.000Z
Updated: 2024-08-27T13:59:45.258Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.

Published: 2024-03-18T16:16:38.709Z
Updated: 2024-08-26T14:00:56.673Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.

Published: 2024-03-18T16:14:18.894Z
Updated: 2024-08-02T00:27:59.073Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.

Published: 2024-03-18T16:11:08.100Z
Updated: 2025-04-10T20:23:57.596Z

GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.

Published: 2024-02-01T15:24:57.438Z
Updated: 2024-08-01T23:06:25.359Z

A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.

Published: 2025-02-25T15:07:56.854Z
Updated: 2025-02-25T16:19:33.562Z

GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.

Published: 2025-12-18T19:53:36.242Z
Updated: 2026-04-07T14:08:01.479Z

GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.

Published: 2024-02-01T15:25:01.465Z
Updated: 2024-08-02T22:32:09.928Z

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

Published: 2023-12-13T18:26:35.980Z
Updated: 2024-11-19T14:17:31.449Z

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.

Published: 2023-12-13T18:25:06.408Z
Updated: 2024-08-02T20:53:21.575Z

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

Published: 2023-12-13T18:17:21.359Z
Updated: 2024-08-02T19:52:11.294Z

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.

Published: 2023-11-02T13:32:33.840Z
Updated: 2024-09-05T15:16:42.339Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Published: 2023-09-26T22:46:27.213Z
Updated: 2024-09-23T19:26:41.531Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Published: 2023-09-26T22:45:26.071Z
Updated: 2024-09-23T19:32:26.308Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Published: 2023-09-26T22:44:02.121Z
Updated: 2024-09-23T19:32:50.812Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Published: 2023-09-26T22:40:49.778Z
Updated: 2024-09-23T20:15:50.243Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Published: 2023-09-26T22:37:35.982Z
Updated: 2024-09-23T20:16:20.318Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Published: 2023-09-26T22:35:37.108Z
Updated: 2024-09-23T20:20:51.213Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.

Published: 2023-09-26T22:34:06.088Z
Updated: 2024-09-23T20:21:30.292Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Published: 2023-09-26T21:16:31.589Z
Updated: 2024-09-23T20:24:39.908Z

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Published: 2023-09-26T21:15:39.479Z
Updated: 2024-09-23T20:17:20.831Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.

Published: 2023-07-13T22:37:29.892Z
Updated: 2024-10-18T18:19:09.135Z

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

Published: 2023-07-05T20:52:48.874Z
Updated: 2024-10-18T19:39:38.690Z

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.

Published: 2023-07-05T20:46:04.061Z
Updated: 2024-10-18T19:56:25.969Z

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.

Published: 2023-07-05T20:42:52.139Z
Updated: 2024-10-18T19:57:17.865Z

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

Published: 2023-07-05T19:35:33.232Z
Updated: 2024-10-18T19:58:12.082Z

GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch.

Published: 2023-07-05T19:22:07.569Z
Updated: 2024-10-21T21:11:18.143Z

GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.

Published: 2023-07-05T19:15:31.060Z
Updated: 2024-10-24T17:59:56.346Z

GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.

Published: 2023-07-05T17:48:32.727Z
Updated: 2024-10-24T19:03:48.145Z

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

Published: 2023-04-05T17:45:30.721Z
Updated: 2025-02-10T16:28:02.420Z

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.

Published: 2023-04-05T17:41:20.945Z
Updated: 2025-02-10T16:35:09.282Z

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user.

Published: 2023-04-05T17:39:04.966Z
Updated: 2025-02-10T16:35:30.969Z

GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7.

Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-13T16:48:48.001Z

GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

Published: 2023-04-05T17:21:22.297Z
Updated: 2025-02-10T16:35:50.742Z

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

Published: 2023-04-05T16:06:11.361Z
Updated: 2025-02-10T16:36:41.599Z

GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

Published: 2023-04-05T15:27:58.849Z
Updated: 2025-02-10T16:37:09.581Z

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

Published: 2023-04-05T14:45:12.075Z
Updated: 2025-02-10T18:05:31.292Z

GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6.

Published: 2023-01-25T05:46:35.549Z
Updated: 2025-03-10T21:20:13.945Z

GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.

Published: 2023-01-25T05:50:19.071Z
Updated: 2025-03-10T21:20:08.158Z

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.

Published: 2023-01-25T05:55:10.180Z
Updated: 2025-03-10T21:20:01.945Z

GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6.

Published: 2023-01-25T05:58:01.087Z
Updated: 2025-03-10T21:19:55.688Z

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As a workaround, disable native inventory and delete inventory files from server (default location is `files/_inventory`).

Published: 2023-01-25T06:03:56.522Z
Updated: 2025-03-10T21:19:50.164Z

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6.

Published: 2023-01-25T06:06:23.147Z
Updated: 2025-03-10T21:19:43.894Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to inject custom fields values in `mailto` links. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-23T16:40:36.716Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to create a public RSS feed to inject malicious code in dashboards of other users. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-23T16:40:44.964Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched, please upgrade to version 10.0.4.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-23T16:40:53.732Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Authenticated users may store malicious code in their account information. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-23T16:41:02.408Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly neutralized. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-23T16:41:10.214Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Connected users may gain access to debug panel through the GLPI update script. This issue has been patched, please upgrade to 10.0.4. As a workaround, delete the `install/update.php` script.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-23T16:41:16.210Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been patched, please upgrade to version 10.0.4. As a workaround, disable login with user_token on API Rest.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-23T16:41:22.419Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a Cross-Site Scripting (XSS) attack. This issue has been patched, please upgrade to GLPI 10.0.4. There are currently no known workarounds.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-22T16:08:34.091Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit. In case a remote script returns a redirect response, the redirect target URL is not checked against the URL allow list defined by administrator. This issue has been patched, please upgrade to 10.0.4. There are currently no known workarounds.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-22T16:08:44.482Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-22T16:08:55.858Z

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

Published: 2022-11-03T00:00:00.000Z
Updated: 2025-04-23T16:41:28.244Z

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.

Published: 2022-09-14T17:45:18.000Z
Updated: 2025-04-23T17:10:34.106Z

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the `Enable login with external token` API configuration.

Published: 2022-09-14T17:50:09.000Z
Updated: 2025-04-23T17:10:29.036Z

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In affected versions request input is not properly validated in the plugin controller and can be used to access low-level API of Plugin class. An attacker can, for instance, alter database data. Attacker must have "General setup" update rights to be able to perform this attack. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should remove the `front/plugin.form.php` script.

Published: 2022-09-14T17:55:09.000Z
Updated: 2025-04-23T17:10:23.604Z

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Information associated to registration key are not properly escaped in registration key configuration page. They can be used to steal a GLPI administrator cookie. Users are advised to upgrade to 10.0.3. There are no known workarounds for this issue. ### Workarounds Do not use a registration key created by an untrusted person.

Published: 2022-09-14T17:45:12.000Z
Updated: 2025-04-23T17:10:39.478Z

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Published: 2022-09-19T00:00:00.000Z
Updated: 2025-10-21T23:15:35.415Z

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions were found to not properly neutralize HTML tags in the global search context. Users are advised to upgrade to version 10.0.3 to resolve this issue. Users unable to upgrade should disable global search.

Published: 2022-09-14T18:00:15.000Z
Updated: 2025-04-23T17:10:16.885Z

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). Note that passwords are not exposed. Users are advised to upgrade to version 10.0.3. There are no known workarounds for this issue.

Published: 2022-09-14T17:40:09.000Z
Updated: 2025-04-23T17:10:45.574Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated. This issue has been addressed in version 10.0.2 and all affected users are advised to upgrade.

Published: 2022-06-28T17:50:11.000Z
Updated: 2025-04-23T18:05:50.048Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Published: 2022-06-28T17:55:11.000Z
Updated: 2025-04-23T18:05:44.059Z

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade.

Published: 2022-06-28T00:00:00.000Z
Updated: 2025-04-23T18:06:03.824Z

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on search pages. In order to exploit this vulnerability a user must be logged in.

Published: 2022-06-09T19:55:12.000Z
Updated: 2025-04-23T18:17:31.203Z

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Kanban is a GLPI view to display Projects, Tickets, Changes or Problems on a task board. In versions prior to 10.0.1 a user can exploit a cross site scripting vulnerability in Kanban by injecting HTML code in its user name. Users are advised to upgrade. There are no known workarounds for this issue.

Published: 2022-06-09T18:50:25.000Z
Updated: 2025-04-23T18:18:05.307Z

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.

Published: 2022-04-21T17:00:16.000Z
Updated: 2025-04-23T18:32:52.595Z

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.

Published: 2022-04-21T16:55:11.000Z
Updated: 2025-04-23T18:32:59.539Z

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.

Published: 2022-04-21T16:50:11.000Z
Updated: 2025-04-23T18:33:08.323Z

GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability.

Published: 2022-01-28T10:15:14.000Z
Updated: 2025-05-05T16:33:40.425Z

GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds.

Published: 2022-01-28T10:06:31.000Z
Updated: 2025-05-05T16:33:51.512Z

GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.

Published: 2021-09-15T17:05:09.000Z
Updated: 2024-08-04T01:58:18.177Z

GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI.

Published: 2021-09-15T16:55:10.000Z
Updated: 2024-08-04T01:58:18.247Z

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.

Published: 2021-09-15T16:40:11.000Z
Updated: 2024-08-04T01:58:18.270Z

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. There are no workarounds aside from upgrading.

Published: 2021-09-15T15:50:10.000Z
Updated: 2024-08-04T01:58:18.170Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain”. As an example of direct impact, this vulnerability affects integrity of the GLPI core platform and third-party plugins runtime misusing classes which implement some sensitive operations in their constructors or destructors. This is fixed in version 9.5.4.

Published: 2021-03-08T17:00:17.000Z
Updated: 2024-08-03T18:09:15.583Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems enabled. This is fixed in version 9.5.4.

Published: 2021-03-08T17:00:22.000Z
Updated: 2024-08-03T18:09:15.583Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a cross-site scripting attack. To exploit this endpoint attacker need to be authenticated. This is fixed in version 9.5.4.

Published: 2021-03-08T17:00:27.000Z
Updated: 2024-08-03T18:09:15.160Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /"glpi/front/knowbaseitem.php?item_itemtype=Ticket&item_items_id=18&forcetab=Knowbase$1", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with "Users" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts.

Published: 2021-03-08T17:00:33.000Z
Updated: 2024-08-03T18:09:15.447Z

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.

Published: 2021-03-03T19:30:15.000Z
Updated: 2024-08-03T18:09:15.013Z

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not properly sanitized. Here are two payloads (due to two different exploitations depending on which parameter you act) to exploit the vulnerability:/ajax/common.tabs.php?_target=javascript:alert(document.cookie)&_itemtype=DisplayPreference&_glpi_tab=DisplayPreference$2&id=258&displaytype=Ticket (Payload triggered if you click on the button). /ajax/common.tabs.php?_target=/front/ticket.form.php&_itemtype=Ticket&_glpi_tab=Ticket$1&id=(){};(function%20(){alert(document.cookie);})();function%20a&#.

Published: 2021-03-03T19:25:13.000Z
Updated: 2024-08-03T18:09:15.301Z

GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/document.form.php endpoint), indeed one of the form field: "Web Link" is not properly sanitized and a malicious user (who has document upload rights) can use it to deliver JavaScript payload. For example if you use the following payload: " accesskey="x" onclick="alert(1)" x=", the content will be saved within the database without any control. And then once you return to the summary documents page, by clicking on the "Web Link" of the newly created file it will create a new empty tab, but on the initial tab the pop-up "1" will appear.

Published: 2021-03-03T19:25:20.000Z
Updated: 2024-08-03T18:09:14.988Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using ajax/kanban.php. This is fixed in version 9.5.4.

Published: 2021-03-02T19:45:17.000Z
Updated: 2024-08-03T18:09:14.957Z

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.

Published: 2021-03-02T19:40:20.000Z
Updated: 2024-08-03T18:09:14.994Z

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.

Published: 2020-05-12T16:05:17.000Z
Updated: 2024-08-04T08:22:09.092Z

In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

Published: 2020-11-26T16:49:03.000Z
Updated: 2024-08-04T16:18:45.666Z

In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

Published: 2020-11-26T16:46:53.000Z
Updated: 2024-08-04T16:18:45.595Z

GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assistance' > 'Planning'. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. 'camila' from 'Proativa' group). 4. 'Camila' has read-only access to 'eduardo.mozart' personal planning. The same behavior happens to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.

Published: 2020-11-25T17:05:17.000Z
Updated: 2024-08-04T15:49:07.163Z

In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.

Published: 2020-10-07T19:20:14.000Z
Updated: 2024-08-04T13:08:22.889Z

In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.

Published: 2020-10-07T19:10:13.000Z
Updated: 2024-08-04T13:08:22.923Z

In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure Redirection Since authentication is not required to perform these changes,anyone could point these fields at malicious websites or form input in a way to trigger XSS. Leveraging JavaScript it's possible to steal cookies, perform actions as the user, etc. The issue is patched in version 9.5.2.

Published: 2020-10-07T19:05:14.000Z
Updated: 2024-08-04T13:08:22.457Z

In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2

Published: 2020-10-07T18:55:12.000Z
Updated: 2024-08-04T13:08:22.468Z

In GLPI before version 9.5.2, the `​pluginimage.send.php​` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2.

Published: 2020-10-07T18:45:14.000Z
Updated: 2024-08-04T13:08:22.417Z

In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

Published: 2020-07-17T20:30:17.000Z
Updated: 2024-08-04T13:08:21.741Z

In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.

Published: 2020-05-12T19:25:12.000Z
Updated: 2024-08-04T11:21:14.505Z

In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

Published: 2020-05-12T19:30:14.000Z
Updated: 2024-08-04T11:21:14.633Z

In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1)</script>" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires This is fixed in version 9.4.6.

Published: 2020-05-05T21:35:12.000Z
Updated: 2024-08-04T11:21:14.475Z

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

Published: 2020-05-05T21:30:12.000Z
Updated: 2024-08-04T11:21:14.511Z

In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

Published: 2020-05-05T21:20:12.000Z
Updated: 2024-08-04T11:21:14.511Z

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.

Published: 2020-05-05T21:15:12.000Z
Updated: 2024-08-04T11:21:14.326Z

In GLPI before version 9.4.6, there is a SQL injection vulnerability for all helpdesk instances. Exploiting this vulnerability requires a technician account. This is fixed in version 9.4.6.

Published: 2020-05-05T21:05:12.000Z
Updated: 2024-08-04T11:21:14.564Z

In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.

Published: 2020-09-23T15:20:13.000Z
Updated: 2024-08-04T11:21:14.373Z

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.

Published: 2019-09-25T19:19:15.000Z
Updated: 2024-08-05T00:19:41.401Z

An issue was discovered in GLPI before 9.4.1. After a successful password reset by a user, it is possible to change that user's password again during the next 24 hours without any information except the associated email address.

Published: 2019-07-10T13:48:26.000Z
Updated: 2024-08-04T23:49:24.353Z

inc/user.class.php in GLPI before 9.4.3 allows XSS via a user picture.

Published: 2019-07-04T14:22:55.000Z
Updated: 2024-08-04T23:49:23.590Z

The FusionInventory plugin before 1.4 for GLPI 9.3.x and before 1.1 for GLPI 9.4.x mishandles sendXML actions.

Published: 2019-03-29T13:07:23.000Z
Updated: 2024-08-04T22:24:18.441Z

Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie.

Published: 2019-03-27T16:23:27.000Z
Updated: 2024-08-04T22:17:19.665Z

An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query string to front/preference.php. An attacker is able to create a malicious URL that, if opened by an authenticated user with debug privilege, will execute JavaScript code supplied by the attacker. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Published: 2018-03-12T21:00:00.000Z
Updated: 2024-08-05T06:31:04.805Z

A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php.

Published: 2018-03-12T21:00:00.000Z
Updated: 2024-08-05T06:31:04.422Z

The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php.

Published: 2018-07-02T11:00:00.000Z
Updated: 2024-08-05T08:52:50.243Z

GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.

Published: 2017-07-20T04:00:00.000Z
Updated: 2024-08-05T18:12:39.804Z

GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.

Published: 2017-07-20T04:00:00.000Z
Updated: 2024-08-05T18:12:39.868Z

GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.

Published: 2017-07-14T16:00:00.000Z
Updated: 2024-09-16T18:03:33.221Z

SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.

Published: 2017-07-28T05:00:00.000Z
Updated: 2024-08-05T17:57:58.119Z

front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter.

Published: 2017-07-28T05:00:00.000Z
Updated: 2024-08-05T17:57:57.885Z

GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php.

Published: 2015-10-05T14:00:00.000Z
Updated: 2024-08-06T07:58:59.441Z

Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.

Published: 2015-10-05T14:00:00.000Z
Updated: 2024-08-06T07:58:59.978Z

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.

Published: 2014-12-19T15:00:00.000Z
Updated: 2024-08-06T13:40:24.869Z

Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.

Published: 2015-04-14T18:00:00.000Z
Updated: 2024-08-06T13:18:48.324Z

GLPI before 0.84.7 does not properly restrict access to cost information, which allows remote attackers to obtain sensitive information via the cost criteria in the search bar.

Published: 2015-04-14T18:00:00.000Z
Updated: 2024-08-06T11:34:37.282Z

inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or (2) execute arbitrary PHP code via an update_1 action.

Published: 2013-09-23T01:00:00.000Z
Updated: 2024-09-16T16:17:31.120Z

Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to ajax/comments.php.

Published: 2014-05-14T19:00:00.000Z
Updated: 2024-08-06T15:27:41.119Z

inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php.

Published: 2014-05-27T15:00:00.000Z
Updated: 2024-08-06T15:27:41.113Z

Multiple cross-site scripting (XSS) vulnerabilities in GLPI-PROJECT GLPI before 0.83.3 allow remote attackers to inject arbitrary web script or HTML via unknown vectors.

Published: 2012-10-09T23:00:00.000Z
Updated: 2024-08-06T20:21:04.111Z

Cross-site request forgery (CSRF) vulnerability in GLPI-PROJECT GLPI before 0.83.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2012-10-09T23:00:00.000Z
Updated: 2024-08-06T20:21:04.220Z

The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request.

Published: 2011-08-05T21:00:00.000Z
Updated: 2024-08-06T23:08:23.791Z