glpi Info

glpi was added to epel7 repo on 2014-01-21
Page updated: 2023-11-21 11:36
Repo Status - Overall Status

Source NVR: glpi-0.90.5-2.el7 (2018-04-03)

Binary Packages

glpi glpi-0.90.5-2.el7

Bugs

1834490 NEW CVE-2020-11033 glpi: any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User [epel-7]
1834493 NEW CVE-2020-11036 glpi: XSS in the comments of items in the knowledge base and via the User-Agent for administrators [epel-7]
1834500 NEW CVE-2020-11035 glpi: CSRF tokens are generated using an insecure algorithm [epel-7]
1834503 NEW CVE-2020-11034 glpi: bypass open redirect protection based on a regexp [epel-7]
1838308 NEW CVE-2020-11060 glpi: remote code execution via the backup functionality [epel-7]
1860261 NEW CVE-2020-15108 glpi: SQL injection in all usages of Clone feature [epel-7]
1882106 NEW CVE-2020-11031 glpi: encryption algorithm used is insecure [epel-7]
1886228 NEW CVE-2020-15226 glpi: SQL Injection in the API's search function [epel-7]
1886237 NEW CVE-2020-15217 glpi: information disclosure through public FAQ [epel-7]
1886266 NEW CVE-2020-15177 glpi: install/install.php endpoint insecurely stores user input into the database as url_base and url_base_api leads to XSS [epel-7]
1886274 NEW CVE-2020-15176 glpi: application does not escape or sanitize leads to sql injection and information disclosure [epel-7]
1886277 NEW CVE-2020-15175 glpi: information disclosure of files and folders contained in /files/ [epel-7]
1902070 NEW CVE-2020-26212 glpi: any CalDAV calendars is read-only for every authenticated user [epel-7]
1904020 NEW CVE-2020-27663 glpi: Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType [epel-7]
1904024 NEW CVE-2020-27662 glpi: Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any database table [epel-7]
1939934 NEW CVE-2021-21255 glpi: it is possible to switch entities with IDOR from a logged in user [epel-7]
1939937 NEW CVE-2021-21258 glpi: cross-site scripting injection vulnerability when using ajax/kanban.php [epel-7]
1939947 NEW CVE-2021-21326 glpi: Horizontal Privilege Escalation [epel-7]
1939950 NEW CVE-2021-21327 glpi: Unsafe Reflection in getItemForItemtype() [epel-7]
1939954 NEW CVE-2021-21324 glpi: Insecure Direct Object Reference (IDOR) on "Solutions" [epel-7]
1939958 NEW CVE-2021-21325 glpi: Stored XSS in budget type [epel-7]
1942567 NEW CVE-2021-21314 glpi: XSS injection on ticket update [epel-7]
1942570 NEW CVE-2021-21312 glpi: Stored XSS on documents [epel-7]
1942573 NEW CVE-2021-21313 glpi: XSS on tabs [epel-7]
2047852 NEW CVE-2022-21719 glpi: Reflected XSS using reload button [epel-7]
2047855 NEW CVE-2022-21720 glpi: SQL injection using custom CSS administration form [epel-7]
2077732 NEW CVE-2022-24867 CVE-2022-24868 CVE-2022-24869 glpi: allow for a cross site scripting attack vector [epel-7]
2095536 NEW CVE-2022-24876 glpi: cross site scripting [epel-7]
2103139 NEW CVE-2022-31068 glpi: possible information leak [epel-7]
2103143 NEW CVE-2022-31061 glpi: possible SQL injection on login page [epel-7]
2132606 NEW CVE-2021-39213 glpi: IP restriction on GLPI API Bypass with custom header injection [epel-7]
2139933 NEW CVE-2022-39234 glpi: persistent cookie allows deleted user to stay logged in [epel-7]
2139939 NEW CVE-2022-39262 glpi: injected XSS in login page [epel-7]
2139941 NEW CVE-2022-39276 glpi: SSRF in feeds [epel-7]
2140036 NEW CVE-2022-39277 glpi: XSS in external links [epel-7]
2140039 NEW CVE-2022-39376 glpi: Improper input validation on emails links [epel-7]
2140041 NEW CVE-2022-39375 glpi: XSS through public RSS feed [epel-7]
2140045 NEW CVE-2022-39370 glpi: Improper access to debug panel [epel-7]
2140047 NEW CVE-2022-39371 glpi: Stored XSS through asset inventory [epel-7]
2140049 NEW CVE-2022-39372 glpi: Stored XSS in user information [epel-7]
2140051 NEW CVE-2022-39373 glpi: Stored XSS in entity name [epel-7]
2184794 NEW CVE-2023-28632 glpi: Authenticated user can modify emails of any user [epel-7]
2184796 NEW CVE-2023-28633 glpi: Usage of RSS feeds is subject to server-side request forgery [epel-7]
2184799 NEW CVE-2023-28634 glpi: user who has the Technician profile could see and generate a Personal token for a Super-Admin [epel-7]
2184813 NEW CVE-2023-29006 glpi: Authenticated user can craft URL to execute a system command [epel-7]
2184816 NEW CVE-2023-28855 glpi: Access control check allows any authenticated user to write data to any fields container [epel-7]
2184818 NEW CVE-2023-28852 glpi: User with dashboard administration rights may hack the dashboard form to store malicious code [epel-7]
2184820 NEW CVE-2023-28849 glpi: Inventory endpoint can be used to drive a SQL injection attack [epel-7]
2184822 NEW CVE-2023-28838 glpi: SQL Injection vulnerability [epel-7]
2184825 NEW CVE-2023-28639 glpi: Malicious link can be crafted by an unauthenticated user [epel-7]
2184827 NEW CVE-2023-28636 glpi: Administrator can create a malicious external link [epel-7]
2220914 NEW CVE-2023-36808 glpi: SQL injection through Computer Virtual Machine information [epel-7]
2220916 NEW CVE-2023-34106 glpi: Unauthorized access to user data [epel-7]

Install Failures