173 results (0.004 seconds)

CVSS: 5.5EPSS: %CPEs: 1EXPL: 0

30 Jul 2025 — GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-x9mj-822q-6cf8 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 3.3EPSS: %CPEs: 1EXPL: 0

30 Jul 2025 — GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-r2mm-6499-4m8j • CWE-284: Improper Access Control CWE-862: Missing Authorization •

CVSS: 4.3EPSS: %CPEs: 1EXPL: 0

30 Jul 2025 — GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-rp7w-6343-3m2r • CWE-284: Improper Access Control CWE-862: Missing Authorization •

CVSS: 6.8EPSS: %CPEs: 1EXPL: 0

30 Jul 2025 — GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-p665-mqcr-j96j • CWE-284: Improper Access Control CWE-862: Missing Authorization •

CVSS: 6.8EPSS: %CPEs: 1EXPL: 0

30 Jul 2025 — GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-52h8-76ph-4j9q • CWE-522: Insufficiently Protected Credentials •

CVSS: 7.8EPSS: %CPEs: 1EXPL: 0

30 Jul 2025 — GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-6whm-q2rp-prqm • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 3.5EPSS: %CPEs: 1EXPL: 0

30 Jul 2025 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-5mp6-mgmh-vrq7 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

29 Jul 2025 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19. • https://github.com/glpi-project/glpi/security/advisories/GHSA-jh8j-gqxc-6gqj • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 2

18 Mar 2025 — GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18. • https://github.com/r1beirin/CVE-2025-24801 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 7.8EPSS: 60%CPEs: 1EXPL: 6

18 Mar 2025 — GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18. GLPI suffers from an unauthenticated remote SQL injection vulnerability. This issue is fixed in version 10.0.18. • https://packetstorm.news/files/id/190526 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •