CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43813 – glpi Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2023-43813
13 Dec 2023 — GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue. GLPI es un paquete de software gratuito de gestión de activos y TI. A partir de la versión 10.0.0 y anteriores a la versión 10.0.11, la función de búsqueda guardada se puede utilizar para realizar una inyección SQL. • https://github.com/glpi-project/glpi/commit/4bd7f02d940953b9cbc9d285f7544bb0e490e75e • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2023-42802 – GLPI vulnerable to unallowed PHP script execution
https://notcve.org/view.php?id=CVE-2023-42802
02 Nov 2023 — GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server. • https://github.com/glpi-project/glpi/releases/tag/10.0.10 • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.4EPSS: 1%CPEs: 1EXPL: 0CVE-2023-42462 – File deletion through document upload process in GLPI
https://notcve.org/view.php?id=CVE-2023-42462
26 Sep 2023 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. Gestionnaire Libre de Parc Informatique (GLPI) es un paquete Gratuito de Software de Gestión de Activos IT, que proporciona funciones de ITIL Service D... • https://github.com/glpi-project/glpi/security/advisories/GHSA-hm76-jh96-7j75 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2023-42461 – SQL injection in ITIL actors in GLPI
https://notcve.org/view.php?id=CVE-2023-42461
26 Sep 2023 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. Gestionnaire Libre de Parc Informatique (GLPI) es un paquete Gratuito de Software de Gestión de Activos IT, que proporciona func... • https://github.com/glpi-project/glpi/security/advisories/GHSA-x3jp-69f2-p84w • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41888 – Phishing through a login page malicious URL in GLPI
https://notcve.org/view.php?id=CVE-2023-41888
26 Sep 2023 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. Gestionnaire Libre de Parc Informatique (GL... • https://github.com/glpi-project/glpi/security/advisories/GHSA-2hcg-75jj-hghp • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41326 – Account takeover via Kanban feature in GLPI
https://notcve.org/view.php?id=CVE-2023-41326
26 Sep 2023 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. Gestionnaire Libre de Parc Informatique (GLPI) es un paquete Gratuito de Software de Gestión ... • https://github.com/glpi-project/glpi/security/advisories/GHSA-5wj6-hp4c-j5q9 • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41324 – Account takeover through API in GLPI
https://notcve.org/view.php?id=CVE-2023-41324
26 Sep 2023 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. Gestionnaire Libre de Parc Informatique (GLPI) es un paquete Gratuito de Software de Gestión de Activos IT, que proporciona funcio... • https://github.com/glpi-project/glpi/security/advisories/GHSA-58wj-8jhx-jpm3 • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41323 – Users login enumeration by unauthenticated user in GLPI
https://notcve.org/view.php?id=CVE-2023-41323
26 Sep 2023 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. Gestionnaire Libre de Parc Informatique (GLPI) es un paquete Gratuito de Software de Gestión de Activos IT, que proporciona funciones de ITIL Service Desk, seguimien... • https://github.com/glpi-project/glpi/security/advisories/GHSA-5cf4-6q6r-49x9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41322 – Privilege Escalation from technician to super-admin in GLPI
https://notcve.org/view.php?id=CVE-2023-41322
26 Sep 2023 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability. Gestionnaire Libre de Parc Informatique (GLPI) es un paquete Gratuito de Software de G... • https://github.com/glpi-project/glpi/security/advisories/GHSA-9j8m-7563-8xvr • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41321 – Sensitive fields enumeration through API in GLPI
https://notcve.org/view.php?id=CVE-2023-41321
26 Sep 2023 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability. Gestionnaire Libre de Parc Informatique (GLPI) es un paquete Gratuito de Software de Gestión de Activos IT, que proporciona f... • https://github.com/glpi-project/glpi/security/advisories/GHSA-3fxw-j5rj-w836 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •