Glpi
Monthly
Stored cross-site scripting in GLPI 10.0.4 through 10.0.24 allows an authenticated technician to persist a malicious JavaScript payload in the asset locked tab, which executes in the browser of any subsequent user who views the affected asset. The flaw carries a CVSS 4.0 score of 8.4 driven by high impact on confidentiality, integrity, and availability of the victim session, though exploitation requires high privileges (technician role) and user interaction. No public exploit identified at time of analysis and SSVC reports no observed exploitation.
Arbitrary file read within GLPI_DOC_DIR is exploitable by authenticated technicians in GLPI versions 0.50 through 10.0.24 and 11.0.0 through 11.0.6, stemming from missing authorization controls (CWE-862) on document directory access. An attacker holding a technician-level account can read any file stored under the GLPI_DOC_DIR path without appropriate privilege checks, exposing potentially sensitive documents, attachments, or internal data. No public exploit is identified at time of analysis, and CISA's SSVC framework rates exploitation as none with non-automatable attack paths.
Unauthorized object deletion in GLPI versions 9.5.0 through 10.0.24 and 11.0.0 through 11.0.6 allows authenticated low-privilege users with planning access to delete arbitrary objects across the asset and IT management platform. The flaw stems from a missing authorization check (CWE-862) tied to the planning module, and no public exploit identified at time of analysis. Patches are available in 10.0.25 and 11.0.7.
Arbitrary file deletion in GLPI versions 0.78 through 10.0.24 and 11.0.0 through 11.0.6 allows authenticated technicians to remove any file on the webserver filesystem to which the web process has write permissions. The flaw is tracked as a missing authorization issue (CWE-862) and is tagged as an authentication bypass; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authorization bypass in GLPI IT asset management software (versions 0.78 through 10.0.24 and 11.0.0 through 11.0.6) permits an authenticated user holding only the config READ permission to access a specific asset object that should be outside their authorization scope. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as 'none' with partial technical impact. Vendor patches are available in 10.0.25 and 11.0.7.
Stored cross-site scripting in GLPI before 11.0.7 allows an attacker with write access to the knowledge base to embed a persistent XSS payload that executes in the browsers of users who later view the affected knowledge base item. The flaw was reported by Fluid Attacks and is rated High severity (CVSS 8.4) by the vendor, who shipped a fix in the 11.0.7 security release; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Unauthorized form structure disclosure in GLPI 11.0.0 through 11.0.6 allows a high-privileged authenticated user holding forms READ permission to export the structural definition of forms they are not authorized to access. The flaw, rooted in CWE-862 (Missing Authorization), means the application validates that a user can perform form exports in general but fails to verify per-form access entitlements before returning structure data. Impact is limited to low confidentiality exposure of form schemas with no integrity or availability consequence. No public exploit code or CISA KEV listing exists at time of analysis, and the vendor has released a confirmed fix in 11.0.7.
SQL injection in GLPI asset management software versions 10.0.0 through 10.0.23 and 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary SQL commands through the logs export feature. The vulnerability requires high-level privileges (PR:H), limiting the attack surface to compromised admin accounts or malicious insiders. No public exploit identified at time of analysis. CVSS 7.2 reflects the high impact but limited attacker base, while the network attack vector (AV:N) means exploitation requires only network access to the GLPI instance.
Time-based blind SQL injection in GLPI's Search engine allows remote unauthenticated attackers to extract sensitive database contents and potentially achieve code execution. GLPI versions 11.0.0 through 11.0.5 are vulnerable. The CVSS vector (PR:N) confirms no authentication required, though attack complexity is rated high (AC:H). EPSS data not available, no CISA KEV listing indicates no confirmed active exploitation at time of analysis, but the unauthenticated remote attack surface and SQL injection nature present significant risk for this widely-deployed IT asset management platform.
Stored XSS in GLPI 11.0.0-11.0.5 allows remote attackers to inject malicious scripts via the inventory endpoint without authentication, leading to potential session hijacking and unauthorized actions when victims interact with poisoned inventory data. CVSS 7.5 (High) with Network attack vector and no privileges required (PR:N). No public exploit identified at time of analysis, though the unauthenticated nature and stored XSS persistence elevate practical risk for environments with publicly accessible GLPI installations.
Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.
Stored cross-site scripting (XSS) in GLPI asset management software allows authenticated technician-level users to inject malicious JavaScript into supplier fields, achieving code execution in victim browsers with high confidentiality, integrity, and availability impact. Affects GLPI versions 0.60 through 10.0.23, patched in version 10.0.24. EPSS data not available; no public exploit identified at time of analysis, and not listed in CISA KEV. The CVSS score of 7.2 reflects network-accessible attack requiring high privileges but no user interaction, making this a medium-priority issue for organizations running vulnerable GLPI instances with multiple technician accounts.
GLPI versions 11.0.0 through 11.0.5 contain an authentication bypass vulnerability that allows an attacker with knowledge of a user's credentials to circumvent multi-factor authentication (MFA) and gain unauthorized account access. This vulnerability affects the GLPI asset and IT management software and is classified as CWE-287 (Improper Authentication), with a CVSS score of 6.5 indicating medium severity. The issue has been patched in version 11.0.6, and while no active KEV listing or public proof-of-concept is noted in available sources, the authentication bypass nature suggests moderate exploitation probability.
GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. While the CVSS score of 6.5 reflects moderate severity, the impact is limited to confidentiality breach due to the read-only nature of the exploit and the requirement for prior authentication.
GLPI versions 0.71 through 10.0.22 and 11.0.4 are vulnerable to session hijacking when SSO-based remote authentication is enabled, allowing a local attacker to impersonate another user by stealing an active session on the same machine. An authenticated attacker with local access can exploit this by leveraging SSO variables to gain unauthorized access to victim sessions without requiring elevated privileges. No patch is currently available for this vulnerability.
GLPI versions 11.0.0 through 11.0.4 allow authenticated administrators to conduct Server-Side Request Forgery (SSRF) attacks via the Webhook functionality, potentially enabling reconnaissance of internal network resources. An attacker with administrative privileges could leverage this capability to probe internal services or bypass network access controls. A patch is available in version 11.0.5 and later.
Authenticated users in GLPI versions 0.85 through 10.0.22 can exploit a SQL injection vulnerability to read sensitive data from the application database. The vulnerability requires valid credentials and network access but does not allow data modification or denial of service. Version 10.0.23 contains the fix, though no patch is currently available for affected deployments.
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. [CVSS 7.5 HIGH]
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). [CVSS 7.5 HIGH]
GLPI is a free asset and IT management software package. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers can extract the entire GLPI database including asset inventories, user credentials, helpdesk tickets, and IT infrastructure documentation without any authentication.
GLPI is a free asset and IT management software package. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GLPI up to 10.0.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stored cross-site scripting in GLPI 10.0.4 through 10.0.24 allows an authenticated technician to persist a malicious JavaScript payload in the asset locked tab, which executes in the browser of any subsequent user who views the affected asset. The flaw carries a CVSS 4.0 score of 8.4 driven by high impact on confidentiality, integrity, and availability of the victim session, though exploitation requires high privileges (technician role) and user interaction. No public exploit identified at time of analysis and SSVC reports no observed exploitation.
Arbitrary file read within GLPI_DOC_DIR is exploitable by authenticated technicians in GLPI versions 0.50 through 10.0.24 and 11.0.0 through 11.0.6, stemming from missing authorization controls (CWE-862) on document directory access. An attacker holding a technician-level account can read any file stored under the GLPI_DOC_DIR path without appropriate privilege checks, exposing potentially sensitive documents, attachments, or internal data. No public exploit is identified at time of analysis, and CISA's SSVC framework rates exploitation as none with non-automatable attack paths.
Unauthorized object deletion in GLPI versions 9.5.0 through 10.0.24 and 11.0.0 through 11.0.6 allows authenticated low-privilege users with planning access to delete arbitrary objects across the asset and IT management platform. The flaw stems from a missing authorization check (CWE-862) tied to the planning module, and no public exploit identified at time of analysis. Patches are available in 10.0.25 and 11.0.7.
Arbitrary file deletion in GLPI versions 0.78 through 10.0.24 and 11.0.0 through 11.0.6 allows authenticated technicians to remove any file on the webserver filesystem to which the web process has write permissions. The flaw is tracked as a missing authorization issue (CWE-862) and is tagged as an authentication bypass; no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Authorization bypass in GLPI IT asset management software (versions 0.78 through 10.0.24 and 11.0.0 through 11.0.6) permits an authenticated user holding only the config READ permission to access a specific asset object that should be outside their authorization scope. No public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as 'none' with partial technical impact. Vendor patches are available in 10.0.25 and 11.0.7.
Stored cross-site scripting in GLPI before 11.0.7 allows an attacker with write access to the knowledge base to embed a persistent XSS payload that executes in the browsers of users who later view the affected knowledge base item. The flaw was reported by Fluid Attacks and is rated High severity (CVSS 8.4) by the vendor, who shipped a fix in the 11.0.7 security release; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Unauthorized form structure disclosure in GLPI 11.0.0 through 11.0.6 allows a high-privileged authenticated user holding forms READ permission to export the structural definition of forms they are not authorized to access. The flaw, rooted in CWE-862 (Missing Authorization), means the application validates that a user can perform form exports in general but fails to verify per-form access entitlements before returning structure data. Impact is limited to low confidentiality exposure of form schemas with no integrity or availability consequence. No public exploit code or CISA KEV listing exists at time of analysis, and the vendor has released a confirmed fix in 11.0.7.
SQL injection in GLPI asset management software versions 10.0.0 through 10.0.23 and 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary SQL commands through the logs export feature. The vulnerability requires high-level privileges (PR:H), limiting the attack surface to compromised admin accounts or malicious insiders. No public exploit identified at time of analysis. CVSS 7.2 reflects the high impact but limited attacker base, while the network attack vector (AV:N) means exploitation requires only network access to the GLPI instance.
Time-based blind SQL injection in GLPI's Search engine allows remote unauthenticated attackers to extract sensitive database contents and potentially achieve code execution. GLPI versions 11.0.0 through 11.0.5 are vulnerable. The CVSS vector (PR:N) confirms no authentication required, though attack complexity is rated high (AC:H). EPSS data not available, no CISA KEV listing indicates no confirmed active exploitation at time of analysis, but the unauthenticated remote attack surface and SQL injection nature present significant risk for this widely-deployed IT asset management platform.
Stored XSS in GLPI 11.0.0-11.0.5 allows remote attackers to inject malicious scripts via the inventory endpoint without authentication, leading to potential session hijacking and unauthorized actions when victims interact with poisoned inventory data. CVSS 7.5 (High) with Network attack vector and no privileges required (PR:N). No public exploit identified at time of analysis, though the unauthenticated nature and stored XSS persistence elevate practical risk for environments with publicly accessible GLPI installations.
Remote code execution in GLPI asset management software versions 11.0.0 through 11.0.5 allows authenticated administrators to execute arbitrary code via template injection. The vulnerability requires high privileges (administrator access) but enables complete system compromise with changed scope, indicating potential breakout from the application context. CVSS 9.1 (Critical). No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE. Fixed in version 11.0.6.
Stored cross-site scripting (XSS) in GLPI asset management software allows authenticated technician-level users to inject malicious JavaScript into supplier fields, achieving code execution in victim browsers with high confidentiality, integrity, and availability impact. Affects GLPI versions 0.60 through 10.0.23, patched in version 10.0.24. EPSS data not available; no public exploit identified at time of analysis, and not listed in CISA KEV. The CVSS score of 7.2 reflects network-accessible attack requiring high privileges but no user interaction, making this a medium-priority issue for organizations running vulnerable GLPI instances with multiple technician accounts.
GLPI versions 11.0.0 through 11.0.5 contain an authentication bypass vulnerability that allows an attacker with knowledge of a user's credentials to circumvent multi-factor authentication (MFA) and gain unauthorized account access. This vulnerability affects the GLPI asset and IT management software and is classified as CWE-287 (Improper Authentication), with a CVSS score of 6.5 indicating medium severity. The issue has been patched in version 11.0.6, and while no active KEV listing or public proof-of-concept is noted in available sources, the authentication bypass nature suggests moderate exploitation probability.
GLPI versions 11.0.0 through 11.0.5 contain an authenticated SQL injection vulnerability that allows authenticated users to read sensitive database contents without modification or denial-of-service capabilities. The vulnerability affects the free Asset and IT management software package GLPI and is resolved in version 11.0.6. While the CVSS score of 6.5 reflects moderate severity, the impact is limited to confidentiality breach due to the read-only nature of the exploit and the requirement for prior authentication.
GLPI versions 0.71 through 10.0.22 and 11.0.4 are vulnerable to session hijacking when SSO-based remote authentication is enabled, allowing a local attacker to impersonate another user by stealing an active session on the same machine. An authenticated attacker with local access can exploit this by leveraging SSO variables to gain unauthorized access to victim sessions without requiring elevated privileges. No patch is currently available for this vulnerability.
GLPI versions 11.0.0 through 11.0.4 allow authenticated administrators to conduct Server-Side Request Forgery (SSRF) attacks via the Webhook functionality, potentially enabling reconnaissance of internal network resources. An attacker with administrative privileges could leverage this capability to probe internal services or bypass network access controls. A patch is available in version 11.0.5 and later.
Authenticated users in GLPI versions 0.85 through 10.0.22 can exploit a SQL injection vulnerability to read sensitive data from the application database. The vulnerability requires valid credentials and network access but does not allow data modification or denial of service. Version 10.0.23 contains the fix, though no patch is currently available for affected deployments.
GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. [CVSS 7.5 HIGH]
GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). [CVSS 7.5 HIGH]
GLPI is a free asset and IT management software package. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
GLPI IT asset management platform contains an unauthenticated SQL injection through the inventory endpoint. Attackers can extract the entire GLPI database including asset inventories, user credentials, helpdesk tickets, and IT infrastructure documentation without any authentication.
GLPI is a free asset and IT management software package. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
GLPI is a free asset and IT management software package. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in GLPI up to 10.0.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.