Glpi
Sign in to watchby Glpi Project
Source repositories
CVEs (169)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-9258 | 0.04 | — | 0.09 | Dec 19, 2014 | SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter. | ||
| CVE-2013-2225 | 0.04 | — | 0.12 | May 27, 2014 | inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php. | ||
| CVE-2022-31056 | 0.03 | — | 0.05 | Jun 28, 2022 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved in version 10.0.2 and all affected users are advised to upgrade. | ||
| CVE-2021-39211 | 0.03 | — | 0.39 | Sep 15, 2021 | GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI. | ||
| CVE-2020-15175 | 0.03 | — | 0.37 | Oct 7, 2020 | In GLPI before version 9.5.2, the `pluginimage.send.php` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2. | ||
| CVE-2024-50339 | 0.02 | — | 0.20 | Dec 11, 2024 | GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue. | ||
| CVE-2024-43416 | 0.02 | — | 0.24 | Nov 18, 2024 | GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue. | ||
| CVE-2024-31456 | 0.02 | — | 0.24 | May 7, 2024 | GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15. | ||
| CVE-2023-46727 | 0.02 | — | 0.23 | Dec 13, 2023 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory. | ||
| CVE-2024-37149 | 0.01 | — | 0.08 | Jul 10, 2024 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16. | ||
| CVE-2024-37147 | 0.01 | — | 0.13 | Jul 10, 2024 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16. | ||
| CVE-2024-27098 | 0.01 | — | 0.14 | Mar 18, 2024 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13. | ||
| CVE-2024-27096 | 0.01 | — | 0.16 | Mar 18, 2024 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13. | ||
| CVE-2024-27937 | 0.01 | — | 0.07 | Mar 18, 2024 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13. | ||
| CVE-2023-43813 | 0.01 | — | 0.11 | Dec 13, 2023 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue. | ||
| CVE-2023-41320 | 0.01 | — | 0.09 | Sep 26, 2023 | GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. | ||
| CVE-2023-36808 | 0.01 | — | 0.16 | Jul 5, 2023 | GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. | ||
| CVE-2023-35924 | 0.01 | — | 0.18 | Jul 5, 2023 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. | ||
| CVE-2026-25937 | 0.00 | — | 0.00 | Mar 17, 2026 | GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue. | ||
| CVE-2026-25936 | 0.00 | — | 0.00 | Mar 17, 2026 | GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue. |
Page 2 of 9