Filtered by vendor Glpi-project
Subscribe
Total
201 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53357 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 5.4 MEDIUM |
| GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19. | |||||
| CVE-2025-53113 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 2.7 LOW |
| GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19. | |||||
| CVE-2025-53112 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 4.3 MEDIUM |
| GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19. | |||||
| CVE-2025-53111 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 6.5 MEDIUM |
| GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19. | |||||
| CVE-2025-53008 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 6.5 MEDIUM |
| GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19. | |||||
| CVE-2025-52897 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 6.5 MEDIUM |
| GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19. | |||||
| CVE-2025-52567 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 3.5 LOW |
| GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19. | |||||
| CVE-2025-27514 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 4.5 MEDIUM |
| GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19. | |||||
| CVE-2025-24801 | 1 Glpi-project | 1 Glpi | 2025-08-01 | N/A | 8.5 HIGH |
| GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18. | |||||
| CVE-2025-21619 | 1 Glpi-project | 1 Glpi | 2025-07-31 | N/A | 9.8 CRITICAL |
| GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18. | |||||
| CVE-2025-24799 | 1 Glpi-project | 1 Glpi | 2025-07-31 | N/A | 7.5 HIGH |
| GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18. | |||||
| CVE-2022-21720 | 1 Glpi-project | 1 Glpi | 2025-05-05 | 4.0 MEDIUM | 4.9 MEDIUM |
| GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability. | |||||
| CVE-2022-21719 | 1 Glpi-project | 1 Glpi | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2025-25192 | 1 Glpi-project | 1 Glpi | 2025-04-23 | N/A | 6.5 MEDIUM |
| GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file. | |||||
| CVE-2024-11955 | 1 Glpi-project | 1 Glpi | 2025-03-04 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2024-38370 | 1 Glpi-project | 1 Glpi | 2025-02-10 | N/A | 5.3 MEDIUM |
| GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16. | |||||
| CVE-2022-34128 | 1 Glpi-project | 1 Positions | 2025-02-06 | N/A | 9.8 CRITICAL |
| The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php. | |||||
| CVE-2022-34127 | 1 Glpi-project | 1 Manageentities | 2025-02-06 | N/A | 7.5 HIGH |
| The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter. | |||||
| CVE-2022-34126 | 1 Glpi-project | 1 Activity | 2025-02-06 | N/A | 7.5 HIGH |
| The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file parameter. | |||||
| CVE-2022-34125 | 1 Glpi-project | 1 Cmdb | 2025-02-06 | N/A | 6.5 MEDIUM |
| front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter. | |||||