Shodan
Vulnerabilities
Vulnerable Software
Glpi-Project:  Security Vulnerabilities
CVE-2017-11184
SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-07-28
CVE-2017-11474
GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-07-20
CVE-2017-11475
GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-07-20
CVE-2016-7507
Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application.
CVSS Score
8.0
EPSS Score
0.002
Published
2017-07-19
CVE-2016-7509
Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-07-19
CVE-2017-11329
GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-07-17
CVE-2016-7508
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-06-21
CVE-2015-7685
GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php.
CVSS Score
4.0
EPSS Score
0.001
Published
2015-10-05
CVE-2015-7684
Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.
CVSS Score
9.0
EPSS Score
0.012
Published
2015-10-05
CVE-2014-8360
Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php.
CVSS Score
7.5
EPSS Score
0.01
Published
2015-04-14


Products
Pricing
Contact Us

Shodan ® - All rights reserved