Glpi-Project: Security Vulnerabilities
GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.
CVSS Score
6.5
EPSS Score
0.002
Published
2023-07-05
The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5.
CVSS Score
7.6
EPSS Score
0.003
Published
2023-06-23
front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter.
CVSS Score
6.5
EPSS Score
0.017
Published
2023-04-16
The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file parameter.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-04-16
The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.
CVSS Score
7.5
EPSS Score
0.051
Published
2023-04-16
The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php.
CVSS Score
9.8
EPSS Score
0.095
Published
2023-04-16
GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.
CVSS Score
4.5
EPSS Score
0.004
Published
2023-04-05
GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7.
CVSS Score
6.1
EPSS Score
0.01
Published
2023-04-05
GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user.
CVSS Score
9.6
EPSS Score
0.004
Published
2023-04-05
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.
CVSS Score
10.0
EPSS Score
0.004
Published
2023-04-05