CVE-2024-31456 – GLPI contains an authenticated SQL injection
https://notcve.org/view.php?id=CVE-2024-31456
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15. GLPI es un paquete gratuito de software de gestión de TI y activos. Antes de 10.0.15, un usuario autenticado podía aprovechar una vulnerabilidad de inyección SQL desde la búsqueda de mapas. • https://github.com/glpi-project/glpi/commit/730c3db29a1edc32f9b9d1e2a940e90a0211ab26 https://github.com/glpi-project/glpi/security/advisories/GHSA-gcj4-2cp3-6h5j • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-29889 – GLPI contains an SQL injection through the saved searches
https://notcve.org/view.php?id=CVE-2024-29889
GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15. GLPI es un paquete gratuito de software de gestión de TI y activos. Antes de 10.0.15, un usuario autenticado podía explotar una vulnerabilidad de inyección SQL en la función de búsquedas guardadas para alterar los datos de la cuenta de otro usuario y tomar el control de ella. • https://github.com/glpi-project/glpi/commit/0a6b28be4c0f848106c60b554c703ec2e178d6c7 https://github.com/glpi-project/glpi/security/advisories/GHSA-8xvf-v6vv-r75g • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-28241 – GlPI-Agent MSI package installation doesn't update folder security profile when using non default installation folder
https://notcve.org/view.php?id=CVE-2024-28241
The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 to receive a patch. As a workaround, use the default installation folder which involves installed folder is automatically secured by the system. El Agente GLPI es un agente de gestión genérico. • https://github.com/glpi-project/glpi-agent/commit/9a97114f595562c91b0833b4a800dd51e9df65e9 https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-3268-p58w-86hw • CWE-269: Improper Privilege Management •
CVE-2024-28240 – GLPI-Agent's MSI package installation permits local users to change Agent configuration
https://notcve.org/view.php?id=CVE-2024-28240
The GLPI Agent is a generic management agent. A vulnerability that only affects GLPI-Agent installed on windows via MSI packaging can allow a local user to cause denial of agent service by replacing GLPI server url with a wrong url or disabling the service. Additionally, in the case the Deploy task is installed, a local malicious user can trigger privilege escalation configuring a malicious server providing its own deploy task payload. GLPI-Agent 1.7.2 contains a patch for this issue. As a workaround, edit GLPI-Agent related key under `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` and add `SystemComponent` DWORD value setting it to `1` to hide GLPI-Agent from installed applications. • https://github.com/glpi-project/glpi-agent/commit/41bbb1169e899bd15350a9e2fdbf9269a3b7a14f https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-hx3x-mmqg-h3jp • CWE-20: Improper Input Validation •
CVE-2024-27914 – Reflected Cross-Site Scripting (XSS) in search engine when debug mode is enabled in GLPI
https://notcve.org/view.php?id=CVE-2024-27914
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13. GLPI es un paquete gratuito de software de gestión de TI y activos, gestión de centros de datos, ITIL Service Desk, seguimiento de licencias y auditoría de software. • https://github.com/glpi-project/glpi/commit/69e0dee8de0c0df139b42dbfa1a8997888c2af95 https://github.com/glpi-project/glpi/releases/tag/10.0.13 https://github.com/glpi-project/glpi/security/advisories/GHSA-rcxj-fqr4-q34r • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •