Filtered by vendor Glpi-project
Subscribe
Total
140 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-42461 | 1 Glpi-project | 1 Glpi | 2023-09-29 | N/A | 9.8 CRITICAL |
| GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-42462 | 1 Glpi-project | 1 Glpi | 2023-09-29 | N/A | 9.1 CRITICAL |
| GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. | |||||
| CVE-2021-30144 | 1 Glpi-project | 1 Dashboard | 2023-08-08 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. For example, plugins/dashboard/front/main2.php can be used. | |||||
| CVE-2023-37278 | 1 Glpi-project | 1 Glpi | 2023-07-27 | N/A | 9.1 CRITICAL |
| GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9. | |||||
| CVE-2023-34106 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 6.5 MEDIUM |
| GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch. | |||||
| CVE-2023-34107 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 6.5 MEDIUM |
| GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue. | |||||
| CVE-2023-34244 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 6.1 MEDIUM |
| GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch. | |||||
| CVE-2023-35924 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 9.8 CRITICAL |
| GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. | |||||
| CVE-2023-35939 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 8.1 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue. | |||||
| CVE-2023-35940 | 1 Glpi-project | 1 Glpi | 2023-07-11 | N/A | 7.5 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue. | |||||
| CVE-2023-36808 | 1 Glpi-project | 1 Glpi | 2023-07-10 | N/A | 9.8 CRITICAL |
| GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. | |||||
| CVE-2023-34254 | 1 Glpi-project | 1 Glpi Agent | 2023-07-05 | N/A | 7.2 HIGH |
| The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5. | |||||
| CVE-2022-39370 | 1 Glpi-project | 1 Glpi | 2023-06-27 | N/A | 4.3 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Connected users may gain access to debug panel through the GLPI update script. This issue has been patched, please upgrade to 10.0.4. As a workaround, delete the `install/update.php` script. | |||||
| CVE-2021-21327 | 1 Glpi-project | 1 Glpi | 2023-06-26 | 5.0 MEDIUM | 7.5 HIGH |
| GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain”. As an example of direct impact, this vulnerability affects integrity of the GLPI core platform and third-party plugins runtime misusing classes which implement some sensitive operations in their constructors or destructors. This is fixed in version 9.5.4. | |||||
| CVE-2022-34125 | 1 Glpi-project | 1 Cmdb | 2023-04-25 | N/A | 6.5 MEDIUM |
| front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter. | |||||
| CVE-2022-34126 | 1 Glpi-project | 1 Activity | 2023-04-25 | N/A | 7.5 HIGH |
| The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file parameter. | |||||
| CVE-2022-34127 | 1 Glpi-project | 1 Manageentities | 2023-04-25 | N/A | 7.5 HIGH |
| The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter. | |||||
| CVE-2022-34128 | 1 Glpi-project | 1 Positions | 2023-04-25 | N/A | 9.8 CRITICAL |
| The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php. | |||||
| CVE-2023-28634 | 1 Glpi-project | 1 Glpi | 2023-04-12 | N/A | 8.8 HIGH |
| GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue. | |||||
| CVE-2023-28636 | 1 Glpi-project | 1 Glpi | 2023-04-12 | N/A | 4.8 MEDIUM |
| GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7. | |||||