Glpi Inventory
Monthly
GLPI Inventory Plugin versions prior to 1.6.6 contain a reflected cross-site scripting vulnerability in task jobs that allows authenticated attackers with high privileges to execute malicious scripts in users' browsers. An attacker can exploit this by crafting a malicious link to inject arbitrary HTML or JavaScript when a user clicks it, potentially leading to session hijacking or credential theft. No patch is currently available for affected installations.
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
### Impact A plugin public script can be used to read content of system files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
GLPI Inventory Plugin versions prior to 1.6.6 contain a reflected cross-site scripting vulnerability in task jobs that allows authenticated attackers with high privileges to execute malicious scripts in users' browsers. An attacker can exploit this by crafting a malicious link to inject arbitrary HTML or JavaScript when a user clicks it, potentially leading to session hijacking or credential theft. No patch is currently available for affected installations.
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
### Impact A plugin public script can be used to read content of system files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.