Filtered by vendor Glpi-project
Subscribe
Total
103 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-15175 | 1 Glpi-project | 1 Glpi | 2023-03-01 | 6.4 MEDIUM | 9.1 CRITICAL |
In GLPI before version 9.5.2, the `?pluginimage.send.php?` endpoint allows a user to specify an image from a plugin. The parameters can be maliciously crafted to instead delete the .htaccess file for the files directory. Any user becomes able to read all the files and folders contained in “/files/”. Some of the sensitive information that is compromised are the user sessions, logs, and more. An attacker would be able to get the Administrators session token and use that to authenticate. The issue is patched in version 9.5.2. | |||||
CVE-2023-23610 | 1 Glpi-project | 1 Glpi | 2023-02-02 | N/A | 6.5 MEDIUM |
GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6. | |||||
CVE-2023-22725 | 1 Glpi-project | 1 Glpi | 2023-02-02 | N/A | 4.8 MEDIUM |
GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6. | |||||
CVE-2023-22722 | 1 Glpi-project | 1 Glpi | 2023-02-01 | N/A | 6.1 MEDIUM |
GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6. | |||||
CVE-2023-22724 | 1 Glpi-project | 1 Glpi | 2023-02-01 | N/A | 4.8 MEDIUM |
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6. | |||||
CVE-2023-22500 | 1 Glpi-project | 1 Glpi | 2023-02-01 | N/A | 7.5 HIGH |
GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As a workaround, disable native inventory and delete inventory files from server (default location is `files/_inventory`). | |||||
CVE-2022-41941 | 1 Glpi-project | 1 Glpi | 2023-02-01 | N/A | 4.8 MEDIUM |
GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6. | |||||
CVE-2022-39181 | 1 Glpi-project | 1 Reports | 2022-11-23 | N/A | 6.1 MEDIUM |
GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS). Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or emailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser. | |||||
CVE-2022-39234 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 8.8 HIGH |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
CVE-2022-39376 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 6.5 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to inject custom fields values in `mailto` links. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
CVE-2022-39375 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 5.4 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to create a public RSS feed to inject malicious code in dashboards of other users. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
CVE-2022-39373 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 4.8 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched, please upgrade to version 10.0.4. | |||||
CVE-2022-39372 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 5.4 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Authenticated users may store malicious code in their account information. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
CVE-2022-39371 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 5.4 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly neutralized. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds. | |||||
CVE-2022-39370 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 4.3 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Connected users may gain access to debug panel through the GLPI update script. This issue has been patched, please upgrade to 10.0.4. As a workaround, delete the `install/update.php` script. | |||||
CVE-2022-39277 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 4.8 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a Cross-Site Scripting (XSS) attack. This issue has been patched, please upgrade to GLPI 10.0.4. There are currently no known workarounds. | |||||
CVE-2022-39323 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 9.8 CRITICAL |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been patched, please upgrade to version 10.0.4. As a workaround, disable login with user_token on API Rest. | |||||
CVE-2022-39276 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 5.3 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit. In case a remote script returns a redirect response, the redirect target URL is not checked against the URL allow list defined by administrator. This issue has been patched, please upgrade to 10.0.4. There are currently no known workarounds. | |||||
CVE-2022-39262 | 1 Glpi-project | 1 Glpi | 2022-11-03 | N/A | 4.8 MEDIUM |
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4. | |||||
CVE-2022-35914 | 1 Glpi-project | 1 Glpi | 2022-10-25 | N/A | 9.8 CRITICAL |
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection. |