CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27147 – GLPI Inventory plugin has Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2025-27147
25 Mar 2025 — The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access control vulnerability. Version 1.5.0 fixes the vulnerability. • https://github.com/glpi-project/glpi-inventory-plugin/commit/aaeb26d98d07019375c25b56e60fffc195553545 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26626 – GLPI Inventory Plugin vulnerable to reflective Cross-site Scripting
https://notcve.org/view.php?id=CVE-2025-26626
14 Mar 2025 — The GLPI Inventory Plugin handles various types of tasks for GLPI agents for the GLPI asset and IT management software package. Versions prior to 1.5.0 are vulnerable to reflective cross-site scripting, which may lead to executing javascript code. Version 1.5.0 fixes the issue. • https://github.com/glpi-project/glpi-inventory-plugin/blob/1.5.0/CHANGELOG.md#150---2025-02-25 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31082 – SQL Injection via package deployment tasks in glpi-inventory-plugin
https://notcve.org/view.php?id=CVE-2022-31082
27 Jun 2022 — GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature. • https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 4%CPEs: 1EXPL: 2CVE-2022-31062 – Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2022-31062
20 Jun 2022 — ### Impact A plugin public script can be used to read content of system files. ### Patches Upgrade to version 1.0.2. ### Workarounds `b/deploy/index.php` file can be deleted if deploy feature is not used. ### Impacto Un script público del plugin puede ser usado para leer el contenido de los archivos del sistema. ### Parches Actualizar a versión 1.0.2. ### Mitigaciones el archivo "b/deploy/index.php" puede ser eliminado si no es usada la función deploy GLPI Glpiinventory versions 1.0.1 and below suffer from ... • https://packetstorm.news/files/id/171654 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •