Glpi
by Glpi Project
Source repositories
CVEs (201)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-21324 | 0.00 | — | 0.01 | Mar 8, 2021 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an… | |||
| CVE-2021-21325 | 0.00 | — | 0.01 | Mar 8, 2021 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a… | |||
| CVE-2021-21326 | 0.00 | — | 0.01 | Mar 8, 2021 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems… | |||
| CVE-2021-21327 | 0.00 | — | 0.02 | Mar 8, 2021 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment… | |||
| CVE-2021-21314 | 0.00 | — | 0.01 | Mar 3, 2021 | GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket. | |||
| CVE-2021-21312 | 0.00 | — | 0.01 | Mar 3, 2021 | GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or… | |||
| CVE-2021-21313 | 0.00 | — | 0.01 | Mar 3, 2021 | GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target… | |||
| CVE-2021-21258 | 0.00 | — | 0.01 | Mar 2, 2021 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using… | |||
| CVE-2021-21255 | 0.00 | — | 0.01 | Mar 2, 2021 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4. | |||
| CVE-2020-27663 | 0.00 | — | 0.01 | Nov 26, 2020 | In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.). | |||
| CVE-2020-27662 | 0.00 | — | 0.01 | Nov 26, 2020 | In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.). | |||
| CVE-2020-26212 | 0.00 | — | 0.01 | Nov 25, 2020 | GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to… | |||
| CVE-2020-15226 | 0.00 | — | 0.01 | Oct 7, 2020 | In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user.… | |||
| CVE-2020-15217 | 0.00 | — | 0.01 | Oct 7, 2020 | In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ. | |||
| CVE-2020-15177 | 0.00 | — | 0.01 | Oct 7, 2020 | In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure… | |||
| CVE-2020-15176 | 0.00 | — | 0.01 | Oct 7, 2020 | In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords,… | |||
| CVE-2020-11031 | 0.00 | — | 0.00 | Sep 23, 2020 | In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption… | |||
| CVE-2020-15108 | 0.00 | — | 0.01 | Jul 17, 2020 | In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1. | |||
| CVE-2020-11062 | 0.00 | — | 0.01 | May 12, 2020 | In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6. | |||
| CVE-2020-5248 | 0.00 | — | 0.01 | May 12, 2020 | GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing… |
- CVE-2021-21324Mar 8, 2021risk 0.00cvss —epss 0.01
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an…
- CVE-2021-21325Mar 8, 2021risk 0.00cvss —epss 0.01
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a…
- CVE-2021-21326Mar 8, 2021risk 0.00cvss —epss 0.01
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems…
- CVE-2021-21327Mar 8, 2021risk 0.00cvss —epss 0.02
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment…
- CVE-2021-21314Mar 3, 2021risk 0.00cvss —epss 0.01
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.
- CVE-2021-21312Mar 3, 2021risk 0.00cvss —epss 0.01
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or…
- CVE-2021-21313Mar 3, 2021risk 0.00cvss —epss 0.01
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target…
- CVE-2021-21258Mar 2, 2021risk 0.00cvss —epss 0.01
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using…
- CVE-2021-21255Mar 2, 2021risk 0.00cvss —epss 0.01
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.
- CVE-2020-27663Nov 26, 2020risk 0.00cvss —epss 0.01
In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
- CVE-2020-27662Nov 26, 2020risk 0.00cvss —epss 0.01
In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).
- CVE-2020-26212Nov 25, 2020risk 0.00cvss —epss 0.01
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to…
- CVE-2020-15226Oct 7, 2020risk 0.00cvss —epss 0.01
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user.…
- CVE-2020-15217Oct 7, 2020risk 0.00cvss —epss 0.01
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
- CVE-2020-15177Oct 7, 2020risk 0.00cvss —epss 0.01
In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure…
- CVE-2020-15176Oct 7, 2020risk 0.00cvss —epss 0.01
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords,…
- CVE-2020-11031Sep 23, 2020risk 0.00cvss —epss 0.00
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption…
- CVE-2020-15108Jul 17, 2020risk 0.00cvss —epss 0.01
In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.
- CVE-2020-11062May 12, 2020risk 0.00cvss —epss 0.01
In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.
- CVE-2020-5248May 12, 2020risk 0.00cvss —epss 0.01
GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing…
Page 9 of 11