Glpi-Project: >> Glpi >> 0.80.1 Security Vulnerabilities
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-07-30
GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-07-30
GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19.
CVSS Score
2.7
EPSS Score
0.0
Published
2025-07-30
GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-03-18
GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-02-25
GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-02-25
GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.
CVSS Score
5.8
EPSS Score
0.001
Published
2025-02-25
GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-02-25
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
CVSS Score
7.2
EPSS Score
0.001
Published
2024-12-11
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.
CVSS Score
7.5
EPSS Score
0.042
Published
2024-11-18
Page 1