Glpi-Project: >> Glpi >> 0.85 Security Vulnerabilities
GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-07-20
GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-07-20
GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-07-17
GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php.
CVSS Score
4.0
EPSS Score
0.001
Published
2015-10-05
Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.
CVSS Score
9.0
EPSS Score
0.012
Published
2015-10-05
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter.
CVSS Score
6.5
EPSS Score
0.089
Published
2014-12-19
Page 10