CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28632 – GLPI vulnerable to account takeover by authenticated user
https://notcve.org/view.php?id=CVE-2023-28632
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password? • https://github.com/glpi-project/glpi/releases/tag/10.0.7 https://github.com/glpi-project/glpi/releases/tag/9.5.13 https://github.com/glpi-project/glpi/security/advisories/GHSA-7pwm-pg76-3q9x • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-28639 – GLPI vulnerable to reflected Cross-site Scripting in search pages
https://notcve.org/view.php?id=CVE-2023-28639
GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7. • https://github.com/glpi-project/glpi/releases/tag/10.0.7 https://github.com/glpi-project/glpi/releases/tag/9.5.13 https://github.com/glpi-project/glpi/security/advisories/GHSA-r93q-chh5-jgh4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-41941 – glpi contains XSS Stored inside Standard Interface Help Link href attribute
https://notcve.org/view.php?id=CVE-2022-41941
GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6. GLPI es un paquete gratuito de software de gestión de TI y activos. • https://github.com/glpi-project/glpi/security/advisories/GHSA-qqqm-7h6v-7cf4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22500 – glpi Unauthorized access to inventory files
https://notcve.org/view.php?id=CVE-2023-22500
GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. • https://github.com/glpi-project/glpi/security/advisories/GHSA-3ghv-p34r-5ghx • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22722 – glpi subject to Cross-site Scripting (XSS) - Reflected
https://notcve.org/view.php?id=CVE-2023-22722
GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6. • https://github.com/glpi-project/glpi/security/advisories/GHSA-352j-wr38-493c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •