Glpi Project Glpi

GLPI is a free asset and IT management software package

CVE-2025-23046 7.5 - High - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

Incorrect Implementation of Authentication Algorithm

GLPI is a free asset and IT management software package

CVE-2025-25192 6.5 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

Information Disclosure

A vulnerability was found in GLPI up to 10.0.17

CVE-2024-11955 6.1 - Medium - February 25, 2025

A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.

Open Redirect

GLPI is a free asset and IT management software package

CVE-2025-21626 6.5 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.

Information Disclosure

GLPI is a free asset and IT management software package

CVE-2025-21627 6.1 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.

XSS

GLPI is a free asset and IT management software package

CVE-2025-23024 4.3 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

AuthZ

GLPI is a free asset and IT management software package

CVE-2024-50339 5.3 - Medium - December 12, 2024

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Session Fixation

GLPI API Privilege Escalation Vulnerability

CVE-2024-47760 8.8 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI Privilege Escalation Vulnerability in Notification System

CVE-2024-47761 7.2 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

authentification

GLPI User Account Deletion Vulnerability

CVE-2024-48912 8.1 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI API Privilege Escalation Vulnerability

CVE-2024-47758 8.8 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI is a free asset and IT management software package

CVE-2024-43416 5.3 - Medium - November 18, 2024

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.

Information Disclosure

GLPI API Document Access Control Vulnerability

CVE-2024-38370 7.5 - High - November 15, 2024

GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.

AuthZ

GLPI Cable Form Reflected XSS Vulnerability

CVE-2024-45610 6.1 - Medium - November 15, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.

XSS

GLPI Access Control Bypass and Stored XSS Vulnerability

CVE-2024-45611 5.4 - Medium - November 15, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.

XSS

GLPI Reflected XSS Vulnerability in Reports Pages

CVE-2024-45609 6.1 - Medium - November 15, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the reports pages. Upgrade to 10.0.17.

XSS

SQL Injection Vulnerability in GLPI Ticket Form

CVE-2024-41679 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.

SQL Injection

GLPI Software Form Reflected XSS Vulnerability

CVE-2024-43417 6.1 - Medium - November 15, 2024

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Software form. Upgrade to 10.0.17.

XSS

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in Technician Interface

CVE-2024-43418 6.1 - Medium - November 15, 2024

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

XSS

SQL Injection Vulnerability in GLPI User Preferences

CVE-2024-45608 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.

SQL Injection

GLPI SQL Injection Vulnerability in User Account Management

CVE-2024-40638 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

SQL Injection

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in User Interface

CVE-2024-41678 6.1 - Medium - November 15, 2024

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

XSS

GLPI SVG File Script Execution Vulnerability

CVE-2024-47759 4.8 - Medium - November 15, 2024

GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.

XSS

GLPI is an open-source asset and IT management software package

CVE-2024-37149 8.8 - High - July 10, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

Code Injection

GLPI is an open-source asset and IT management software package

CVE-2024-37148 8.1 - High - July 10, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.

SQL Injection

GLPI is an open-source asset and IT management software package

CVE-2024-37147 4.3 - Medium - July 10, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.

GLPI is a Free Asset and IT Management Software package

CVE-2024-29889 8.1 - High - May 07, 2024

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

SQL Injection

GLPI is a Free Asset and IT Management Software package

CVE-2024-31456 6.5 - Medium - May 07, 2024

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15.

SQL Injection

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27096 6.5 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.

SQL Injection

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27098 9.6 - Critical - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.

SSRF

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27104 4.8 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.

XSS

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27914 6.1 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

XSS

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27930 6.5 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27937 4.3 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.

GLPI is a Free Asset and IT Management Software package

CVE-2023-51446 8.1 - High - February 01, 2024

GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.

Injection

GLPI is a Free Asset and IT Management Software package

CVE-2024-23645 6.1 - Medium - February 01, 2024

GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.

XSS

GLPI is a free asset and IT management software package

CVE-2023-43813 8.8 - High - December 13, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

SQL Injection

GLPI is a free asset and IT management software package

CVE-2023-46726 9.8 - Critical - December 13, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.

Injection

GLPI is a free asset and IT management software package

CVE-2023-46727 9.8 - Critical - December 13, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

SQL Injection

GLPI is a free asset and IT management software package

CVE-2023-42802 9.8 - Critical - November 02, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.

Unrestricted File Upload

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41324 8.8 - High - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-42462 9.1 - Critical - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Unrestricted File Upload

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-42461 9.8 - Critical - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

SQL Injection

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41888 5.4 - Medium - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Directory traversal

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41326 8.8 - High - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41323 5.3 - Medium - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41320 9.8 - Critical - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

SQL Injection

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41321 6.5 - Medium - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41322 8.8 - High - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2023-37278 9.1 - Critical - July 13, 2023

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.

SQL Injection