Filtered by vendor Glpi-project
Subscribe
Total
199 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52567 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 3.5 LOW |
| GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19. | |||||
| CVE-2025-27514 | 1 Glpi-project | 1 Glpi | 2025-08-04 | N/A | 4.5 MEDIUM |
| GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19. | |||||
| CVE-2025-24801 | 1 Glpi-project | 1 Glpi | 2025-08-01 | N/A | 8.5 HIGH |
| GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of *.php files located on the GLPI server. This vulnerability is fixed in 10.0.18. | |||||
| CVE-2025-21619 | 1 Glpi-project | 1 Glpi | 2025-07-31 | N/A | 9.8 CRITICAL |
| GLPI is a free asset and IT management software package. An administrator user can perfom a SQL injection through the rules configuration forms. This vulnerability is fixed in 10.0.18. | |||||
| CVE-2025-24799 | 1 Glpi-project | 1 Glpi | 2025-07-31 | N/A | 7.5 HIGH |
| GLPI is a free asset and IT management software package. An unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 10.0.18. | |||||
| CVE-2022-21720 | 1 Glpi-project | 1 Glpi | 2025-05-05 | 4.0 MEDIUM | 4.9 MEDIUM |
| GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability. | |||||
| CVE-2022-21719 | 1 Glpi-project | 1 Glpi | 2025-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| GLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds. | |||||
| CVE-2025-25192 | 1 Glpi-project | 1 Glpi | 2025-04-23 | N/A | 6.5 MEDIUM |
| GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file. | |||||
| CVE-2017-11184 | 1 Glpi-project | 1 Glpi | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. | |||||
| CVE-2017-11474 | 1 Glpi-project | 1 Glpi | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php. | |||||
| CVE-2017-11183 | 1 Glpi-project | 1 Glpi | 2025-04-20 | 5.5 MEDIUM | 4.9 MEDIUM |
| front/backup.php in GLPI before 9.1.5 allows remote authenticated administrators to delete arbitrary files via a crafted file parameter. | |||||
| CVE-2016-7509 | 1 Glpi-project | 1 Glpi | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to inject arbitrary web script or HTML by attaching a crafted HTML file to a ticket. | |||||
| CVE-2016-7507 | 1 Glpi-project | 1 Glpi | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 allows remote authenticated attackers to submit a request that could lead to the creation of an admin account in the application. | |||||
| CVE-2016-7508 | 1 Glpi-project | 1 Glpi | 2025-04-20 | 6.0 MEDIUM | 7.5 HIGH |
| Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding. | |||||
| CVE-2017-11475 | 1 Glpi-project | 1 Glpi | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exploitable via front/rulesengine.test.php. | |||||
| CVE-2017-11329 | 1 Glpi-project | 1 Glpi | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers. | |||||
| CVE-2013-2225 | 1 Glpi-project | 1 Glpi | 2025-04-12 | 6.4 MEDIUM | N/A |
| inc/ticket.class.php in GLPI 0.83.9 and earlier allows remote attackers to unserialize arbitrary PHP objects via the _predefined_fields parameter to front/ticket.form.php. | |||||
| CVE-2013-2226 | 1 Glpi-project | 1 Glpi | 2025-04-12 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in GLPI before 0.83.9 allow remote attackers to execute arbitrary SQL commands via the (1) users_id_assign parameter to ajax/ticketassigninformation.php, (2) filename parameter to front/document.form.php, or (3) table parameter to ajax/comments.php. | |||||
| CVE-2014-5032 | 1 Glpi-project | 1 Glpi | 2025-04-12 | 5.0 MEDIUM | N/A |
| GLPI before 0.84.7 does not properly restrict access to cost information, which allows remote attackers to obtain sensitive information via the cost criteria in the search bar. | |||||
| CVE-2014-9258 | 1 Glpi-project | 1 Glpi | 2025-04-12 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter. | |||||