Glpi
by Glpi Project
Source repositories
CVEs (201)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-7509 | Med | 0.35 | 5.4 | 0.01 | Jul 19, 2017 | Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket. | ||
| CVE-2017-11183 | Med | 0.32 | 4.9 | 0.01 | Jul 28, 2017 | front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter. | ||
| CVE-2026-42320 | Med | 0.31 | — | 0.00 | Jun 3, 2026 | GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch. | ||
| CVE-2022-35914 | 0.23 | — | 1.00 | KEV | Sep 19, 2022 | /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. | ||
| CVE-2026-32312 | Med | 0.21 | 4.3 | 0.00 | May 19, 2026 | GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7. | ||
| CVE-2020-15175 | 0.06 | — | 0.72 | Oct 7, 2020 | In GLPI before version 9.5.2, the `pluginimage.send.php` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and… | |||
| CVE-2025-24799 | 0.05 | — | 0.86 | Mar 18, 2025 | GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18. | |||
| CVE-2024-31456 | 0.05 | — | 0.59 | May 7, 2024 | GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15. | |||
| CVE-2024-29889 | 0.05 | — | 0.63 | May 7, 2024 | GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15. | |||
| CVE-2024-27096 | 0.05 | — | 0.63 | Mar 18, 2024 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has… | |||
| CVE-2023-46727 | 0.05 | — | 0.67 | Dec 13, 2023 | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory. | |||
| CVE-2020-11034 | 0.05 | — | 0.08 | May 5, 2020 | In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6. | |||
| CVE-2013-2227 | 0.05 | — | 0.13 | Nov 1, 2019 | GLPI 0.83.7 has Local File Inclusion in common.tabs.php. | |||
| CVE-2022-31061 | 0.04 | — | 0.51 | Jun 28, 2022 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit… | |||
| CVE-2020-11060 | 0.04 | — | 0.11 | May 12, 2020 | In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable… | |||
| CVE-2013-2225 | 0.04 | — | 0.08 | May 27, 2014 | inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php. | |||
| CVE-2013-5696 | 0.04 | — | 0.08 | Sep 23, 2013 | inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or… | |||
| CVE-2024-27098 | 0.03 | — | 0.38 | Mar 18, 2024 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13. | |||
| CVE-2022-31056 | 0.03 | — | 0.09 | Jun 28, 2022 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved… | |||
| CVE-2021-39211 | 0.03 | — | 0.04 | Sep 15, 2021 | GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not… |
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.
- risk 0.32cvss 4.9epss 0.01
front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter.
- risk 0.31cvss —epss 0.00
GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
- risk 0.23cvss —epss 1.00
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
- risk 0.21cvss 4.3epss 0.00
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.
- CVE-2020-15175Oct 7, 2020risk 0.06cvss —epss 0.72
In GLPI before version 9.5.2, the `pluginimage.send.php` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and…
- CVE-2025-24799Mar 18, 2025risk 0.05cvss —epss 0.86
GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18.
- CVE-2024-31456May 7, 2024risk 0.05cvss —epss 0.59
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15.
- CVE-2024-29889May 7, 2024risk 0.05cvss —epss 0.63
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.
- CVE-2024-27096Mar 18, 2024risk 0.05cvss —epss 0.63
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has…
- CVE-2023-46727Dec 13, 2023risk 0.05cvss —epss 0.67
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.
- CVE-2020-11034May 5, 2020risk 0.05cvss —epss 0.08
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp. This is fixed in version 9.4.6.
- CVE-2013-2227Nov 1, 2019risk 0.05cvss —epss 0.13
GLPI 0.83.7 has Local File Inclusion in common.tabs.php.
- CVE-2022-31061Jun 28, 2022risk 0.04cvss —epss 0.51
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit…
- CVE-2020-11060May 12, 2020risk 0.04cvss —epss 0.11
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable…
- CVE-2013-2225May 27, 2014risk 0.04cvss —epss 0.08
inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php.
- CVE-2013-5696Sep 23, 2013risk 0.04cvss —epss 0.08
inc/central.class.php in GLPI before 0.84.2 does not attempt to make install/install.php unavailable after an installation is completed, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and (1) perform a SQL injection via an Etape_4 action or…
- CVE-2024-27098Mar 18, 2024risk 0.03cvss —epss 0.38
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.
- CVE-2022-31056Jun 28, 2022risk 0.03cvss —epss 0.09
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved…
- CVE-2021-39211Sep 15, 2021risk 0.03cvss —epss 0.04
GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not…
Page 2 of 11