VYPR

Vendor CVEs

Glpi Project

All CVEs

219 total · sorted by risk
  • CVE-2024-43417Nov 15, 2024
    risk 0.00cvss epss 0.00

    GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Software form. Upgrade to 10.0.17.

  • CVE-2024-41679Nov 15, 2024
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.

  • CVE-2024-41678Nov 15, 2024
    risk 0.00cvss epss 0.00

    GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

  • CVE-2024-40638Nov 15, 2024
    risk 0.00cvss epss 0.37

    GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

  • CVE-2024-47759Nov 15, 2024
    risk 0.00cvss epss 0.00

    GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.

  • CVE-2024-37148Jul 10, 2024
    risk 0.00cvss epss 0.20

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take…

  • CVE-2024-28241Apr 25, 2024
    risk 0.00cvss epss 0.00

    The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 to receive a patch. As a workaround, use the default…

  • CVE-2024-28240Apr 25, 2024
    risk 0.00cvss epss 0.00

    The GLPI Agent is a generic management agent. A vulnerability that only affects GLPI-Agent installed on windows via MSI packaging can allow a local user to cause denial of agent service by replacing GLPI server url with a wrong url or disabling the service. Additionally, in the…

  • CVE-2024-27914Mar 18, 2024
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS…

  • CVE-2024-27104Mar 18, 2024
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard…

  • CVE-2024-27930Mar 18, 2024
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version…

  • CVE-2024-27756Mar 15, 2024
    risk 0.00cvss epss 0.01

    GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title.

  • CVE-2023-51446Feb 1, 2024
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.

  • CVE-2024-23645Feb 1, 2024
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.

  • CVE-2023-46726Dec 13, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch…

  • CVE-2023-42802Nov 2, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system…

  • CVE-2023-42462Sep 26, 2023
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to…

  • CVE-2023-42461Sep 26, 2023
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection.…

  • CVE-2023-41888Sep 26, 2023
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious…

  • CVE-2023-41326Sep 26, 2023
    risk 0.00cvss epss 0.31

    GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field,…

  • CVE-2023-41324Sep 26, 2023
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users.…

  • CVE-2023-41323Sep 26, 2023
    risk 0.00cvss epss 0.34

    GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to…

  • CVE-2023-41322Sep 26, 2023
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's…

  • CVE-2023-41321Sep 26, 2023
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read…

  • CVE-2023-37278Jul 13, 2023
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.

  • CVE-2023-35940Jul 5, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.

  • CVE-2023-35939Jul 5, 2023
    risk 0.00cvss epss 0.00

    GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard…

  • CVE-2023-34244Jul 5, 2023
    risk 0.00cvss epss 0.00

    GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade…

  • CVE-2023-34107Jul 5, 2023
    risk 0.00cvss epss 0.00

    GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch…

  • CVE-2023-34106Jul 5, 2023
    risk 0.00cvss epss 0.00

    GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information.…

  • CVE-2023-34254Jun 23, 2023
    risk 0.00cvss epss 0.01

    The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the…

  • CVE-2023-33971May 31, 2023
    risk 0.00cvss epss 0.01

    Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of `##FULLFORM##` for…

  • CVE-2023-28852Apr 5, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related…

  • CVE-2023-28849Apr 5, 2023
    risk 0.00cvss epss 0.00

    GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default,…

  • CVE-2023-28838Apr 5, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell…

  • CVE-2023-28636Apr 5, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

  • CVE-2023-28634Apr 5, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session…

  • CVE-2023-28633Apr 5, 2023
    risk 0.00cvss epss 0.00

    GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is…

  • CVE-2023-28632Apr 5, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying…

  • CVE-2023-28639Apr 5, 2023
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted…

  • CVE-2022-41941Jan 25, 2023
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6.

  • CVE-2023-22500Jan 25, 2023
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are…

  • CVE-2023-22722Jan 25, 2023
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make…

  • CVE-2023-22724Jan 25, 2023
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to…

  • CVE-2023-22725Jan 25, 2023
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.

  • CVE-2023-23610Jan 25, 2023
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to…

  • CVE-2022-39181Nov 17, 2022
    risk 0.00cvss epss 0.00

    GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS). Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to…

  • CVE-2022-39277Nov 3, 2022
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a…

  • CVE-2022-39376Nov 3, 2022
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to inject custom fields values in `mailto` links. This issue has…

  • CVE-2022-39375Nov 3, 2022
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to create a public RSS feed to inject malicious code in…