VYPR

Vendor CVEs

Glpi Project

All CVEs

219 total · sorted by risk
  • CVE-2022-39373Nov 3, 2022
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched,…

  • CVE-2022-39234Nov 3, 2022
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie…

  • CVE-2022-39262Nov 3, 2022
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal…

  • CVE-2022-39370Nov 3, 2022
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Connected users may gain access to debug panel through the GLPI update script. This…

  • CVE-2022-39371Nov 3, 2022
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly…

  • CVE-2022-39323Nov 3, 2022
    risk 0.00cvss epss 0.34

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been…

  • CVE-2022-39276Nov 3, 2022
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit.…

  • CVE-2022-39372Nov 3, 2022
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Authenticated users may store malicious code in their account information. This…

  • CVE-2022-31187Sep 14, 2022
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions were found to not properly neutralize HTML tags in the global…

  • CVE-2022-35946Sep 14, 2022
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In affected versions request input is not properly validated in the plugin…

  • CVE-2022-35947Sep 14, 2022
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which…

  • CVE-2022-36112Sep 14, 2022
    risk 0.00cvss epss 0.00

    GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit.…

  • CVE-2022-35945Sep 14, 2022
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Information associated to registration key are not properly escaped in registration…

  • CVE-2022-31143Sep 14, 2022
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. It was found that in affected versions there is an exposure of private information…

  • CVE-2022-31068Jun 28, 2022
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is…

  • CVE-2022-31082Jun 27, 2022
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package…

  • CVE-2022-29250Jun 9, 2022
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on search pages. In order to exploit this…

  • CVE-2022-24876Jun 9, 2022
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Kanban is a GLPI view to display Projects, Tickets, Changes or Problems on a task board. In versions prior to 10.0.1 a user can exploit a…

  • CVE-2022-24869Apr 21, 2022
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site…

  • CVE-2022-24868Apr 21, 2022
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a…

  • CVE-2022-24867Apr 21, 2022
    risk 0.00cvss epss 0.01

    GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the…

  • CVE-2021-44617Mar 28, 2022
    risk 0.00cvss epss 0.02

    A SQL Injection vulnerability exits in the Ramo plugin for GLPI 9.4.6 via the idu parameter in plugins/ramo/ramoapirest.php/getOutdated.

  • CVE-2022-21720Jan 28, 2022
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right…

  • CVE-2022-21719Jan 28, 2022
    risk 0.00cvss epss 0.01

    GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds.

  • CVE-2021-39213Sep 15, 2021
    risk 0.00cvss epss 0.01

    GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.

  • CVE-2021-39210Sep 15, 2021
    risk 0.00cvss epss 0.01

    GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to…

  • CVE-2021-39209Sep 15, 2021
    risk 0.00cvss epss 0.01

    GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in…

  • CVE-2021-3486May 26, 2021
    risk 0.00cvss epss 0.01

    GLPi 9.5.4 does not sanitize the metadata. This way its possible to insert XSS into plugins to execute JavaScript code.

  • CVE-2021-21324Mar 8, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an…

  • CVE-2021-21325Mar 8, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 a new budget type can be defined by user. This input is not correctly filtered. This results in a…

  • CVE-2021-21326Mar 8, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems…

  • CVE-2021-21327Mar 8, 2021
    risk 0.00cvss epss 0.02

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment…

  • CVE-2021-21314Mar 3, 2021
    risk 0.00cvss epss 0.01

    GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.

  • CVE-2021-21312Mar 3, 2021
    risk 0.00cvss epss 0.01

    GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or…

  • CVE-2021-21313Mar 3, 2021
    risk 0.00cvss epss 0.01

    GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target…

  • CVE-2021-21258Mar 2, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI from version 9.5.0 and before version 9.5.4, there is a cross-site scripting injection vulnerability when using…

  • CVE-2021-21255Mar 2, 2021
    risk 0.00cvss epss 0.01

    GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.

  • CVE-2020-27663Nov 26, 2020
    risk 0.00cvss epss 0.01

    In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).

  • CVE-2020-27662Nov 26, 2020
    risk 0.00cvss epss 0.01

    In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table (e.g., glpi_tickets, glpi_users, etc.).

  • CVE-2020-26212Nov 25, 2020
    risk 0.00cvss epss 0.01

    GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to…

  • CVE-2020-15226Oct 7, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user.…

  • CVE-2020-15217Oct 7, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.

  • CVE-2020-15177Oct 7, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.5.2, the `install/install.php` endpoint insecurely stores user input into the database as `url_base` and `url_base_api`. These settings are referenced throughout the application and allow for vulnerabilities like Cross-Site Scripting and Insecure…

  • CVE-2020-15176Oct 7, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords,…

  • CVE-2020-11031Sep 23, 2020
    risk 0.00cvss epss 0.00

    In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption…

  • CVE-2020-15108Jul 17, 2020
    risk 0.00cvss epss 0.01

    In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

  • CVE-2020-11062May 12, 2020
    risk 0.00cvss epss 0.01

    In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in Dropdown endpoints due to an invalid Content-Type. This has been fixed in version 9.4.6.

  • CVE-2020-5248May 12, 2020
    risk 0.00cvss epss 0.01

    GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing…

  • CVE-2020-11036May 5, 2020
    risk 0.00cvss epss 0.01

    In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "" reproduces the attack. This can be exploited by a…

  • CVE-2020-11035May 5, 2020
    risk 0.00cvss epss 0.01

    In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

Page 4 of 5