CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31456 – GLPI contains an authenticated SQL injection
https://notcve.org/view.php?id=CVE-2024-31456
07 May 2024 — GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15. GLPI es un paquete gratuito de software de gestión de TI y activos. Antes de 10.0.15, un usuario autenticado podía aprovechar una vulnerabilidad de inyección SQL desde la búsqueda de mapas. • https://github.com/glpi-project/glpi/commit/730c3db29a1edc32f9b9d1e2a940e90a0211ab26 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 36%CPEs: 1EXPL: 0CVE-2024-29889 – GLPI contains an SQL injection through the saved searches
https://notcve.org/view.php?id=CVE-2024-29889
07 May 2024 — GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15. GLPI es un paquete gratuito de software de gestión de TI y activos. Antes de 10.0.15, un usuario autenticado podía explotar una vulnerabilidad de inyección SQL en la función de búsquedas guardadas para alterar los datos de la cuenta de otro usuario... • https://github.com/glpi-project/glpi/commit/0a6b28be4c0f848106c60b554c703ec2e178d6c7 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28241 – GlPI-Agent MSI package installation doesn't update folder security profile when using non default installation folder
https://notcve.org/view.php?id=CVE-2024-28241
25 Apr 2024 — The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 to receive a patch. As a workaround, use the default installation folder which involves installed folder is automatically secured by the system. El Agente GLPI es un agente de gestión genérico. • https://github.com/glpi-project/glpi-agent/commit/9a97114f595562c91b0833b4a800dd51e9df65e9 • CWE-269: Improper Privilege Management •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28240 – GLPI-Agent's MSI package installation permits local users to change Agent configuration
https://notcve.org/view.php?id=CVE-2024-28240
25 Apr 2024 — The GLPI Agent is a generic management agent. A vulnerability that only affects GLPI-Agent installed on windows via MSI packaging can allow a local user to cause denial of agent service by replacing GLPI server url with a wrong url or disabling the service. Additionally, in the case the Deploy task is installed, a local malicious user can trigger privilege escalation configuring a malicious server providing its own deploy task payload. GLPI-Agent 1.7.2 contains a patch for this issue. As a workaround, edit ... • https://github.com/glpi-project/glpi-agent/commit/41bbb1169e899bd15350a9e2fdbf9269a3b7a14f • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2024-31705 – GLPI 10.x.x Remote Command Execution
https://notcve.org/view.php?id=CVE-2024-31705
15 Apr 2024 — An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. Un problema en Infotel Conseil GLPI v.10.XX y posteriores permite a un atacante remoto ejecutar código arbitrario a través de una validación insuficiente de la entrada proporcionada por el usuario. GLPI versions 10.x.x suffers from a remote command execution vulnerability via the shell commands plugin. • https://packetstorm.news/files/id/178062 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 6%CPEs: 1EXPL: 1CVE-2024-27914 – Reflected Cross-Site Scripting (XSS) in search engine when debug mode is enabled in GLPI
https://notcve.org/view.php?id=CVE-2024-27914
18 Mar 2024 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13. GLPI es un paquete gratuito de software de gestión de TI y activos, gestión de centros de datos, ITIL Service Desk,... • https://github.com/shellkraft/CVE-2024-27914 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27104 – Stored XSS in dashboards in GLPI
https://notcve.org/view.php?id=CVE-2024-27104
18 Mar 2024 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13. GLPI es un paquete gratuito de software de gestión de TI y activos, gestión de centros de datos, ITIL Service Desk, seguimiento de licencias y auditor... • https://github.com/glpi-project/glpi/commit/b409ca437864607b03c2014b9e3293b7f141af65 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27098 – Blind Server-Side Request Forgery (SSRF) using Arbitrary Object Instantiation in GLPI
https://notcve.org/view.php?id=CVE-2024-27098
18 Mar 2024 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13. GLPI es un paquete gratuito de software de gestión de TI y activos, gestión de centros de datos, ITIL Service Desk, seguimiento de licencias y auditoría de software. Un usuario autenticado puede ejecutar un ataque basado en SSRF ut... • https://github.com/glpi-project/glpi/commit/3b6bc1b4aa1f3693b20ada3425d2de5108522484 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27096 – SQL Injection in through the search engine
https://notcve.org/view.php?id=CVE-2024-27096
18 Mar 2024 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13. GLPI es un paquete gratuito de software de gestión de TI y activos, gestión de centros de datos, ITIL Service Desk, seguimiento de licencias y auditoría de software. Un usuario autenticado puede aprovech... • https://github.com/glpi-project/glpi/commit/61a0c2302b4f633f5065358adc36058e1abc37f9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27930 – Sensitive fields access through dropdowns in GLPI
https://notcve.org/view.php?id=CVE-2024-27930
18 Mar 2024 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13. GLPI es un paquete gratuito de software de gestión de TI y activos, gestión de centros de datos, ITIL Service Desk, seguimiento de licencias y auditoría de software. Un usuario autenticado puede acceder a datos de campos confide... • https://borelenzo.github.io/stuff/2024/02/29/glpi-pwned.html • CWE-285: Improper Authorization •