Glpi-Project: >> Glpi >> 0.84.7 Security Vulnerabilities
Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.
CVSS Score
9.0
EPSS Score
0.017
Published
2015-10-05
Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.
CVSS Score
7.5
EPSS Score
0.007
Published
2015-04-14
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
CVSS Score
6.5
EPSS Score
0.091
Published
2014-12-19
Page 10