Glpi
Monthly
GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. While the CVSS score of 6.5 reflects moderate severity, the impact is limited to confidentiality breach due to the read-only nature of the exploit and the requirement for prior authentication.
GLPI versions 0.71 through 10.0.22 and 11.0.4 are vulnerable to session hijacking when SSO-based remote authentication is enabled, allowing a local attacker to impersonate another user by stealing an active session on the same machine. An authenticated attacker with local access can exploit this by leveraging SSO variables to gain unauthorized access to victim sessions without requiring elevated privileges. No patch is currently available for this vulnerability.
GLPI versions 11.0.0 through 11.0.4 allow authenticated administrators to conduct Server-Side Request Forgery (SSRF) attacks via the Webhook functionality, potentially enabling reconnaissance of internal network resources. An attacker with administrative privileges could leverage this capability to probe internal services or bypass network access controls. A patch is available in version 11.0.5 and later.
Authenticated users in GLPI versions 0.85 through 10.0.22 can exploit a SQL injection vulnerability to read sensitive data from the application database. The vulnerability requires valid credentials and network access but does not allow data modification or denial of service. Version 10.0.23 contains the fix, though no patch is currently available for affected deployments.
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. [CVSS 7.5 HIGH]
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). [CVSS 7.5 HIGH]
GLPI is a free asset and IT management software package. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers can extract the entire GLPI database including asset inventories, user credentials, helpdesk tickets, and IT infrastructure documentation without any authentication.
GLPI is a free asset and IT management software package. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GLPI up to 10.0.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. While the CVSS score of 6.5 reflects moderate severity, the impact is limited to confidentiality breach due to the read-only nature of the exploit and the requirement for prior authentication.
GLPI versions 0.71 through 10.0.22 and 11.0.4 are vulnerable to session hijacking when SSO-based remote authentication is enabled, allowing a local attacker to impersonate another user by stealing an active session on the same machine. An authenticated attacker with local access can exploit this by leveraging SSO variables to gain unauthorized access to victim sessions without requiring elevated privileges. No patch is currently available for this vulnerability.
GLPI versions 11.0.0 through 11.0.4 allow authenticated administrators to conduct Server-Side Request Forgery (SSRF) attacks via the Webhook functionality, potentially enabling reconnaissance of internal network resources. An attacker with administrative privileges could leverage this capability to probe internal services or bypass network access controls. A patch is available in version 11.0.5 and later.
Authenticated users in GLPI versions 0.85 through 10.0.22 can exploit a SQL injection vulnerability to read sensitive data from the application database. The vulnerability requires valid credentials and network access but does not allow data modification or denial of service. Version 10.0.23 contains the fix, though no patch is currently available for affected deployments.
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. [CVSS 7.5 HIGH]
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). [CVSS 7.5 HIGH]
GLPI is a free asset and IT management software package. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers can extract the entire GLPI database including asset inventories, user credentials, helpdesk tickets, and IT infrastructure documentation without any authentication.
GLPI is a free asset and IT management software package. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GLPI up to 10.0.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.