Shodan
Vulnerabilities
Vulnerable Software
Glpi-Project:  Security Vulnerabilities
CVE-2017-11474
GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-07-20
CVE-2017-11475
GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-07-20
CVE-2016-7507
Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application.
CVSS Score
8.0
EPSS Score
0.002
Published
2017-07-19
CVE-2016-7509
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-07-19
CVE-2017-11329
GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-07-17
CVE-2016-7508
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.
CVSS Score
7.5
EPSS Score
0.002
Published
2017-06-21
CVE-2015-7685
GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php.
CVSS Score
4.0
EPSS Score
0.001
Published
2015-10-05
CVE-2015-7684
Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.
CVSS Score
9.0
EPSS Score
0.012
Published
2015-10-05
CVE-2014-8360
Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.
CVSS Score
7.5
EPSS Score
0.01
Published
2015-04-14
CVE-2014-5032
GLPI before 0.84.7 does not properly restrict access to cost information, which allows remote attackers to obtain sensitive information via the cost criteria in the search bar.
CVSS Score
5.0
EPSS Score
0.004
Published
2015-04-14


Products
Pricing
Contact Us

Shodan ® - All rights reserved