VYPR

Glpi

by Glpi Project

Source repositories

CVEs (201)

  • CVE-2021-21324Mar 8, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an…

  • CVE-2021-21325Mar 8, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a…

  • CVE-2021-21326Mar 8, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems…

  • CVE-2021-21327Mar 8, 2021
    risk 0.00cvss epss 0.02

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment…

  • CVE-2021-21314Mar 3, 2021
    risk 0.00cvss epss 0.01

    GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.

  • CVE-2021-21312Mar 3, 2021
    risk 0.00cvss epss 0.01

    GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or…

  • CVE-2021-21313Mar 3, 2021
    risk 0.00cvss epss 0.01

    GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target…

  • CVE-2021-21258Mar 2, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using…

  • CVE-2021-21255Mar 2, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.

  • CVE-2020-27663Nov 26, 2020
    risk 0.00cvss epss 0.01

    In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

  • CVE-2020-27662Nov 26, 2020
    risk 0.00cvss epss 0.01

    In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

  • CVE-2020-26212Nov 25, 2020
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to…

  • CVE-2020-15226Oct 7, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user.…

  • CVE-2020-15217Oct 7, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.

  • CVE-2020-15177Oct 7, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure…

  • CVE-2020-15176Oct 7, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords,…

  • CVE-2020-11031Sep 23, 2020
    risk 0.00cvss epss 0.00

    In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption…

  • CVE-2020-15108Jul 17, 2020
    risk 0.00cvss epss 0.01

    In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

  • CVE-2020-11062May 12, 2020
    risk 0.00cvss epss 0.01

    In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.

  • CVE-2020-5248May 12, 2020
    risk 0.00cvss epss 0.01

    GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing…