CVE-2023-28838 – GLPI vulnerable to SQL injection through dynamic reports
https://notcve.org/view.php?id=CVE-2023-28838
GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user. • https://github.com/glpi-project/glpi/releases/tag/10.0.7 https://github.com/glpi-project/glpi/releases/tag/9.5.13 https://github.com/glpi-project/glpi/security/advisories/GHSA-2c7r-gf38-358f • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-28636 – GLPI vulnerable to stored Cross-site Scripting in external links
https://notcve.org/view.php?id=CVE-2023-28636
GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7. • https://github.com/glpi-project/glpi/releases/tag/10.0.7 https://github.com/glpi-project/glpi/releases/tag/9.5.13 https://github.com/glpi-project/glpi/security/advisories/GHSA-55pm-mc2m-pq46 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-41941 – glpi contains XSS Stored inside Standard Interface Help Link href attribute
https://notcve.org/view.php?id=CVE-2022-41941
GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6. GLPI es un paquete gratuito de software de gestión de TI y activos. • https://github.com/glpi-project/glpi/security/advisories/GHSA-qqqm-7h6v-7cf4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-22725 – glpi vulnerable to XSS on external links
https://notcve.org/view.php?id=CVE-2023-22725
GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6. GLPI es un paquete gratuito de software de gestión de TI y activos. • https://github.com/glpi-project/glpi/security/advisories/GHSA-f5g6-fxrw-pfj7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-23610 – glpi vulnerable to Unauthorized access to data export
https://notcve.org/view.php?id=CVE-2023-23610
GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6. GLPI es un paquete gratuito de software de gestión de TI y activos. • https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf • CWE-269: Improper Privilege Management CWE-732: Incorrect Permission Assignment for Critical Resource •