VYPR

Glpi

by Glpi Project

Source repositories

CVEs (201)

  • CVE-2016-7509MedJul 19, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.

  • CVE-2017-11183MedJul 28, 2017
    risk 0.32cvss 4.9epss 0.01

    front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter.

  • CVE-2026-42320MedJun 3, 2026
    risk 0.31cvss epss 0.00

    GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

  • CVE-2022-35914KEVSep 19, 2022
    risk 0.23cvss epss 1.00

    /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

  • CVE-2026-32312MedMay 19, 2026
    risk 0.21cvss 4.3epss 0.00

    GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.

  • CVE-2020-15175Oct 7, 2020
    risk 0.06cvss epss 0.72

    In GLPI before version 9.5.2, the `​pluginimage.send.php​` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and…

  • CVE-2025-24799Mar 18, 2025
    risk 0.05cvss epss 0.86

    GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.

  • CVE-2024-31456May 7, 2024
    risk 0.05cvss epss 0.59

    GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15.

  • CVE-2024-29889May 7, 2024
    risk 0.05cvss epss 0.63

    GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

  • CVE-2024-27096Mar 18, 2024
    risk 0.05cvss epss 0.63

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has…

  • CVE-2023-46727Dec 13, 2023
    risk 0.05cvss epss 0.67

    GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

  • CVE-2020-11034May 5, 2020
    risk 0.05cvss epss 0.08

    In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.

  • CVE-2013-2227Nov 1, 2019
    risk 0.05cvss epss 0.13

    GLPI 0.83.7 has Local File Inclusion in common.tabs.php.

  • CVE-2022-31061Jun 28, 2022
    risk 0.04cvss epss 0.51

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit…

  • CVE-2020-11060May 12, 2020
    risk 0.04cvss epss 0.11

    In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable…

  • CVE-2013-2225May 27, 2014
    risk 0.04cvss epss 0.08

    inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php.

  • CVE-2013-5696Sep 23, 2013
    risk 0.04cvss epss 0.08

    inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or…

  • CVE-2024-27098Mar 18, 2024
    risk 0.03cvss epss 0.38

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.

  • CVE-2022-31056Jun 28, 2022
    risk 0.03cvss epss 0.09

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved…

  • CVE-2021-39211Sep 15, 2021
    risk 0.03cvss epss 0.04

    GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not…

Page 2 of 11