Glpi Project Glpi
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Glpi Project Glpi.
By the Year
In 2025 there have been 6 vulnerabilities in Glpi Project Glpi with an average score of 6.2 out of ten. Last year, in 2024 Glpi had 30 security vulnerabilities published. Right now, Glpi is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.70
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 6 | 6.17 |
2024 | 30 | 6.86 |
2023 | 35 | 7.43 |
2022 | 29 | 6.55 |
2021 | 14 | 6.26 |
2020 | 18 | 6.54 |
2019 | 6 | 6.30 |
2018 | 3 | 7.47 |
It may take a day or so for new Glpi vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Glpi Project Glpi Security Vulnerabilities
GLPI is a free asset and IT management software package
CVE-2025-23046
7.5 - High
- February 25, 2025
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.
Incorrect Implementation of Authentication Algorithm
GLPI is a free asset and IT management software package
CVE-2025-25192
6.5 - Medium
- February 25, 2025
GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
Information Disclosure
A vulnerability was found in GLPI up to 10.0.17
CVE-2024-11955
6.1 - Medium
- February 25, 2025
A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.
Open Redirect
GLPI is a free asset and IT management software package
CVE-2025-21626
6.5 - Medium
- February 25, 2025
GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.
Information Disclosure
GLPI is a free asset and IT management software package
CVE-2025-21627
6.1 - Medium
- February 25, 2025
GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.
XSS
GLPI is a free asset and IT management software package
CVE-2025-23024
4.3 - Medium
- February 25, 2025
GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.
AuthZ
GLPI is a free asset and IT management software package
CVE-2024-50339
5.3 - Medium
- December 12, 2024
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.
Session Fixation
GLPI API Privilege Escalation Vulnerability
CVE-2024-47760
8.8 - High
- December 11, 2024
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
Authorization
GLPI Privilege Escalation Vulnerability in Notification System
CVE-2024-47761
7.2 - High
- December 11, 2024
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.
authentification
GLPI User Account Deletion Vulnerability
CVE-2024-48912
8.1 - High
- December 11, 2024
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.
Authorization
GLPI API Privilege Escalation Vulnerability
CVE-2024-47758
8.8 - High
- December 11, 2024
GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.
Authorization
GLPI is a free asset and IT management software package
CVE-2024-43416
5.3 - Medium
- November 18, 2024
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.
Information Disclosure
GLPI API Document Access Control Vulnerability
CVE-2024-38370
7.5 - High
- November 15, 2024
GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.
AuthZ
GLPI Cable Form Reflected XSS Vulnerability
CVE-2024-45610
6.1 - Medium
- November 15, 2024
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.
XSS
GLPI Access Control Bypass and Stored XSS Vulnerability
CVE-2024-45611
5.4 - Medium
- November 15, 2024
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.
XSS
GLPI Reflected XSS Vulnerability in Reports Pages
CVE-2024-45609
6.1 - Medium
- November 15, 2024
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the reports pages. Upgrade to 10.0.17.
XSS
SQL Injection Vulnerability in GLPI Ticket Form
CVE-2024-41679
8.8 - High
- November 15, 2024
GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.
SQL Injection
GLPI Software Form Reflected XSS Vulnerability
CVE-2024-43417
6.1 - Medium
- November 15, 2024
GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Software form. Upgrade to 10.0.17.
XSS
GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in Technician Interface
CVE-2024-43418
6.1 - Medium
- November 15, 2024
GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.
XSS
SQL Injection Vulnerability in GLPI User Preferences
CVE-2024-45608
8.8 - High
- November 15, 2024
GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.
SQL Injection
GLPI SQL Injection Vulnerability in User Account Management
CVE-2024-40638
8.8 - High
- November 15, 2024
GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.
SQL Injection
GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in User Interface
CVE-2024-41678
6.1 - Medium
- November 15, 2024
GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.
XSS
GLPI SVG File Script Execution Vulnerability
CVE-2024-47759
4.8 - Medium
- November 15, 2024
GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.
XSS
GLPI is an open-source asset and IT management software package
CVE-2024-37149
8.8 - High
- July 10, 2024
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.
Code Injection
GLPI is an open-source asset and IT management software package
CVE-2024-37148
8.1 - High
- July 10, 2024
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.
SQL Injection
GLPI is an open-source asset and IT management software package
CVE-2024-37147
4.3 - Medium
- July 10, 2024
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.
GLPI is a Free Asset and IT Management Software package
CVE-2024-29889
8.1 - High
- May 07, 2024
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.
SQL Injection
GLPI is a Free Asset and IT Management Software package
CVE-2024-31456
6.5 - Medium
- May 07, 2024
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15.
SQL Injection
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing
CVE-2024-27096
6.5 - Medium
- March 18, 2024
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.
SQL Injection
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing
CVE-2024-27098
9.6 - Critical
- March 18, 2024
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.
SSRF
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing
CVE-2024-27104
4.8 - Medium
- March 18, 2024
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.
XSS
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing
CVE-2024-27914
6.1 - Medium
- March 18, 2024
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.
XSS
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing
CVE-2024-27930
6.5 - Medium
- March 18, 2024
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing
CVE-2024-27937
4.3 - Medium
- March 18, 2024
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.
GLPI is a Free Asset and IT Management Software package
CVE-2023-51446
8.1 - High
- February 01, 2024
GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.
Injection
GLPI is a Free Asset and IT Management Software package
CVE-2024-23645
6.1 - Medium
- February 01, 2024
GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.
XSS
GLPI is a free asset and IT management software package
CVE-2023-43813
8.8 - High
- December 13, 2023
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.
SQL Injection
GLPI is a free asset and IT management software package
CVE-2023-46726
9.8 - Critical
- December 13, 2023
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.
Injection
GLPI is a free asset and IT management software package
CVE-2023-46727
9.8 - Critical
- December 13, 2023
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.
SQL Injection
GLPI is a free asset and IT management software package
CVE-2023-42802
9.8 - Critical
- November 02, 2023
GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.
Unrestricted File Upload
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-41324
8.8 - High
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-42462
9.1 - Critical
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
Unrestricted File Upload
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-42461
9.8 - Critical
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
SQL Injection
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-41888
5.4 - Medium
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
Directory traversal
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-41326
8.8 - High
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-41323
5.3 - Medium
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-41320
9.8 - Critical
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
SQL Injection
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-41321
6.5 - Medium
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package
CVE-2023-41322
8.8 - High
- September 27, 2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing
CVE-2023-37278
9.1 - Critical
- July 13, 2023
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Glpi Project Glpi or by Glpi Project? Click the Watch button to subscribe.
