CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36808 – GLPI vulnerable to SQL injection through Computer Virtual Machine information
https://notcve.org/view.php?id=CVE-2023-36808
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. • https://github.com/glpi-project/glpi/releases/tag/10.0.8 https://github.com/glpi-project/glpi/security/advisories/GHSA-vf5h-jh9q-2gjm • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35940 – GLPI vulnerable to unauthenticated access to Dashboard data
https://notcve.org/view.php?id=CVE-2023-35940
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue. • https://github.com/glpi-project/glpi/releases/tag/10.0.8 https://github.com/glpi-project/glpi/security/advisories/GHSA-qrh8-rg45-45fw • CWE-284: Improper Access Control CWE-287: Improper Authentication CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35939 – GLPI vulnerable to unauthorized access to Dashboard data
https://notcve.org/view.php?id=CVE-2023-35939
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue. • https://github.com/glpi-project/glpi/releases/tag/10.0.8 https://github.com/glpi-project/glpi/security/advisories/GHSA-cjcx-pwcx-v34c • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35924 – GLPI vulnerable to SQL injection via inventory agent request
https://notcve.org/view.php?id=CVE-2023-35924
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory. • https://github.com/glpi-project/glpi/releases/tag/10.0.8 https://github.com/glpi-project/glpi/security/advisories/GHSA-gxh4-j63w-8jmm • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34244 – GLPI vulnerable to reflected XSS in search pages
https://notcve.org/view.php?id=CVE-2023-34244
GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch. • https://github.com/glpi-project/glpi/releases/tag/10.0.8 https://github.com/glpi-project/glpi/security/advisories/GHSA-p93p-pwg9-w95w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •